Problem
After rotating the SSL/TLS certificate, Terraform Enterprise fails to start.
Cause
Reviewing the Nginx logs reveals an error indicating that the private key for the new certificate is invalid or mismatched.
Generating nginx configuration 2024/09/20 12:30:25 [emerg] 73#73: cannot load certificate key "/etc/ssl/private/terraform-enterprise/key.pem": PEM_read _bio_PrivateKey() failed (SSL: error:108010C :DECODER routines: unsupported:No supported data to decode. Input type: PEM)
Attempting to check the hash of the private key file may also produce an error, confirming an issue with the key itself.
$ openssl rsa -noout -modulus -in private_key.pem | openssl md5 unable to load Private Key 140099662716592:error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode: crypto/pem/pem_1ib.c:943: MD5(stdin)= d41086098100b284e9800998ect8427e
Solution
To verify that the SSL/TLS certificate and its associated private key match, you can compare the MD5 hash of each file's modulus. If the two hashes are identical, the certificate and key pair are valid.
-
Generate the MD5 hash for the certificate file, such as
fullchain.pem.$ openssl x509 -noout -modulus -in fullchain.pem | openssl md5 MD5(stdin)= b3b8253a1e9b8e797f550f53780a8927
-
Generate the MD5 hash for the private key file, such as
private_key.pem.$ openssl rsa -noout -modulus -in private_key.pem | openssl md5 MD5(stdin)= b3b8253a1e9b8e797f550f53780a8927
If the two commands produce the same MD5 hash, the certificate and private key match. If they differ, you must provide a matching key for the certificate to resolve the startup failure.
Additional Information
- For more details on certificate management, refer to the article on How To Replace the TLS Certificate and Private Key.
- You may also consult the official Terraform Enterprise documentation for managing TLS certificates.