Issue Overview
Terraform Enterprise (TFE) may fail to start or show a 502 Bad Gateway error due to a password-protected TLS/SSL private key being used for the server certificate. This issue commonly occurs when the private key is protected by a passphrase, which Terraform Enterprise cannot handle.
Symptoms
NGINX Log Requesting Passphrase:
In the NGINX logs, you may see a request for the PEM passphrase, indicating that Terraform Enterprise is attempting to use a password-protected private key. For example:
Docker: The container starts, but the UI shows a 502 Bad Gateway error.
Kubernetes: The pod fails to come online, often due to the readiness probe failure:
Note for Kubernetes Deployments:
If TLS keys are provided via Kubernetes secrets, make sure the tls.key
value is base64-encoded from the decrypted private key. If the encrypted key was mistakenly encoded, TFE will fail to start due to an invalid certificate configuration.
Cause of the Issue
Terraform Enterprise cannot use a private key that is protected by a passphrase. This issue typically occurs when the TLS certificate is created without the -nodes
option, which is necessary to allow the private key to be used without a passphrase.
For reference, this behavior is documented in the Terraform Enterprise TLS Certificate Preparation Guide.
Suggested Resolution
To resolve this issue, you need to decrypt the private key used in the TLS certificate to remove the passphrase protection.
Steps to Fix
-
Decrypt the Private Key: Use OpenSSL to decrypt the private key. Run the following command:
You will be prompted to enter the passphrase for the encrypted key. Once completed, the decrypted key will be written to
<decrypted_private.key>
. -
Replace the Encrypted Key: Replace the existing password-protected private key with the decrypted version in your TFE deployment.
-
Restart Terraform Enterprise: Once the key has been replaced, restart your TFE instance to apply the changes.
-
Verify the Fix: After applying the decrypted key, try accessing the TFE UI again to verify that the 502 Bad Gateway error is resolved.