Introduction
Problem
SAML/SSO login to Terraform Enterprise is broken after upgrade to TFE version 202410-1.
The following error can be seen in the support bundle, in the atlas container logs:
OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key)
Prerequisites (if applicable)
- SAML/SSO enabled
- TFE v202410-1
Cause
- On the SAML Settings UI page, the Private Key field has been configured with a private key previously and is still in the configuration, but hidden:
-
Generally, the error message OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key) is pointing to a certificate misconfiguration
Solution:
The solution is to identify and remove the private key from the SAML/SSO settings in TFE using the Rails console.
Steps to verify if you have a private key configured by accident for TFE FDO on Kubernetes:
- login to your container
NOTE: Adjust the commands below according to the type of installation you have on your environment
kubectl exec -n terraform-enterprise -it <pod_name> -- bash
- execute the command
tfectl support console
- execute the query to get all SAML settings
AdminSettings::Saml.all
- this should show something like the following for private_key_encrypted
private_key_encrypted:
"vault:v1:CFrA4RVauQeD6W0jd19l445pe5AprDifQ1nkYe6Pkr9B07CSvL...o/uDl652da3",
- if that is the case you should go the the admin page of the SAML Settings at https://<tfe-fqdn>/app/admin/saml and put a space in the Private key field and save
- check the output again of the query AdminSettings::Saml.all in tfectl support console to get all the SAML settings and confirm the Private Key has been removed and is empty
AdminSettings::Saml.all
private_key_encrypted: "",
- restart TFE for the new configuration to become active
Outcome
If your other SAML/SSO configuration is correct your login should work properly now.