Resolving TLS Handshake failure to S3 Object Storage Endpoint on TFE v202406-1

Avatar
Stephen Bui
  • Updated

Problem

Terraform Enterprise (TFE) may fail to start or return a 502 Bad Gateway error if the TLS/SSL private key used for the server certificate is password-protected. Terraform Enterprise cannot process a private key that requires a passphrase.

Symptoms

You may observe one or more of the following symptoms depending on your deployment environment.

  • NGINX Logs

    The NGINX logs may show a prompt for a PEM passphrase.

    Enter PEM pass phrase:

  • Docker Deployments

    The container starts, but the user interface is inaccessible and returns a 502 Bad Gateway error.

    $ curl https://tfe.customer.com/_health_check
    <html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>

  • Kubernetes Deployments

    The pod fails to become ready because the readiness probe fails.

    Warning Unhealthy ... kubelet Readiness probe failed: Get "http://172.10.1.155:8080/_health_check": dial tcp 172.10.1.155:8080: connect: connection refused

    Note: If you provide TLS keys via Kubernetes secrets, ensure the tls.key value is the base64-encoded string of the decrypted private key. If the encrypted key was mistakenly encoded, TFE will fail to start due to an invalid certificate configuration.

Cause

Terraform Enterprise cannot use a private key that is protected by a passphrase. This issue typically occurs when the TLS certificate is created without the -nodes option, which is necessary to generate a private key that does not require a passphrase.

This behavior is documented in the Terraform Enterprise TLS Certificate Preparation Guide.

Solution

To resolve this issue, you must decrypt the private key to remove the passphrase protection.

  1. Decrypt the private key using the openssl command. You will be prompted to enter the passphrase for the encrypted key.

    $ openssl rsa -in <encrypted_private.key> -out <decrypted_private.key>
  2. Replace the existing password-protected private key with the new decrypted key (<decrypted_private.key>) in your Terraform Enterprise deployment.
  3. Restart your Terraform Enterprise instance to apply the changes.

Outcome

After replacing the key and restarting the instance, Terraform Enterprise should start successfully. Verify the fix by accessing the Terraform Enterprise UI in your browser. The 502 Bad Gateway error should be resolved.

Additional Information

Articles in this section

See more

Related articles