TFE Startup Issues Due to Password-Protected TLS/SSL Private Key

Avatar
Stephen Bui
  • Updated

Issue Overview

Terraform Enterprise (TFE) may fail to start or show a 502 Bad Gateway error due to a password-protected TLS/SSL private key being used for the server certificate. This issue commonly occurs when the private key is protected by a passphrase, which Terraform Enterprise cannot handle.

Symptoms

NGINX Log Requesting Passphrase:
In the NGINX logs, you may see a request for the PEM passphrase, indicating that Terraform Enterprise is attempting to use a password-protected private key. For example:

Enter PEM pass phrase:

Docker: The container starts, but the UI shows a 502 Bad Gateway error.

curl https://tfe.customer.com/_health_check
<html>
  <head><title>502 Bad Gateway</title></head>
  <body>
    <center><h1>502 Bad Gateway</h1></center>
  </body>
</html>

Kubernetes: The pod fails to come online, often due to the readiness probe failure:

Warning Unhealthy ... kubelet Readiness probe failed: Get "http://172.10.1.155:8080/_health_check": dial tcp 172.10.1.155:8080: connect: connection refused

Note for Kubernetes Deployments:
If TLS keys are provided via Kubernetes secrets, make sure the tls.key value is base64-encoded from the decrypted private key. If the encrypted key was mistakenly encoded, TFE will fail to start due to an invalid certificate configuration.

Cause of the Issue

Terraform Enterprise cannot use a private key that is protected by a passphrase. This issue typically occurs when the TLS certificate is created without the -nodes option, which is necessary to allow the private key to be used without a passphrase.

For reference, this behavior is documented in the Terraform Enterprise TLS Certificate Preparation Guide.

Suggested Resolution

To resolve this issue, you need to decrypt the private key used in the TLS certificate to remove the passphrase protection.

Steps to Fix

  1. Decrypt the Private Key: Use OpenSSL to decrypt the private key. Run the following command:

    openssl rsa -in <encrypted_private.key> -out <decrypted_private.key>

    You will be prompted to enter the passphrase for the encrypted key. Once completed, the decrypted key will be written to <decrypted_private.key>.

  2. Replace the Encrypted Key: Replace the existing password-protected private key with the decrypted version in your TFE deployment.

  3. Restart Terraform Enterprise: Once the key has been replaced, restart your TFE instance to apply the changes.

  4. Verify the Fix: After applying the decrypted key, try accessing the TFE UI again to verify that the 502 Bad Gateway error is resolved.

Additional References

Articles in this section