Introduction
Terraform Enterprise can fail to start upon rotating the SSL/TLS certificate. This article walks through a method of how to verify that certificates are correct upon rotating them in Terraform Enterprise.
Scenario
After configuring new certificates in Terraform Enterprise, if fails to start.
In reviewing the Nginix logs, the following error may be present. It indicates that the recently updated certificate/key pair is not accepted by Terraform Enterprise.
Generating nginx configuration
2024/09/20 12:30:25 [emerg] 73#73: cannot load certificate key "/etc/ssl/private/terraform-enterprise/key.pem": PEM_read _bio_PrivateKey() failed (SSL: error:108010C :DECODER routines: unsupported:No supported data to decode. Input type: PEM)
Solution
The error in the Nginix logs indicates that there is an issue with the private key.
- Checking the hash of the key.pem file returns the following error:
[tfe ]$ openssl rsa -noout -modulus -in private_key.pem | openssl md5
unable to load Private Key
140099662716592:error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode: crypto/pem/pem_1ib.c:943:
MD5(stdin)= d41086098100b284e9800998ect8427e
- To identify the issue, run the following commands on the certificate and key files:
[tfe ]$ openssl x509 -noout -modulus -in fullchain.pem | openssl md5
MD5(stdin)= b3b8253a1e9b8e797f550f53780a8927
[tfe ]$ openssl rsa -noout -modulus -in private_key.pem | openssl md5
MD5(stdin)= b3b8253a1e9b8e797f550f53780a8927
In summary, the command sequence above checks if the certificate and its associated private key match by comparing the MD5 hash of each modulus. If the two certificates produce the same MD5 hash, they use the same public key and match.
Additional Information