Why am I getting "failed to retrieve authentication checksums" errors when running OpenTofu plans?

Last updated: July 22, 2025

Context

When running OpenTofu plans, you may encounter errors related to provider authentication checksums, particularly with messages like "failed to retrieve authentication checksums for provider" when OpenTofu attempts to download provider files from objects.githubusercontent.com.

Answer

This error occurs when OpenTofu is unable to successfully download provider checksum files from GitHub's content delivery network (objects.githubusercontent.com). The most common cause is when a proxy or firewall terminates the TLS session during the download attempt.

To resolve this issue:

  1. Ensure that your network allows connections to objects.githubusercontent.com

  2. If you're using a proxy or firewall:

    • Add objects.githubusercontent.com to the allowlist

    • Configure the proxy to not intercept TLS connections to this domain

    • Ensure the proxy isn't terminating the TLS session prematurely

  3. If using private workers, verify that they have proper network access to GitHub's CDN

The error message typically includes "read: connection reset by peer" which indicates that the connection was interrupted during the download process.

Source: Support Documentation