Introduction
With the introduction of Terraform Enterprise v202506-1 there is support for Redis mTLS as documented here.
Problem
When Terraform Enterprise tries to connect to the Redis environment configured with mTLS the archivist process fails to connect.
The following error can be seen in the logs of the Terraform Enterprise container
{"@level":"error","@message":"failed to start server",
"@module":"archivist","@timestamp":"2025-08-26T14:09:01.031635Z",
"err":"failed to create Redis client: failed to append TLS options: failed to create TLS config: failed to load client key pair: tls: private key does not match public key"}Prerequisites
- Terraform Enterprise version =< 1.0.0
- Terraform Enterprise configured to use Redis with mTLS
Cause
This issue affects releases v202506-1, v202507-1, and 1.0.0.
In these versions, when using Terraform Enterprise with Redis and mTLS, the certificates must include the full chain.
Example:
TFE_REDIS_CLIENT_CERT_PATH: /etc/ssl/private/terraform-enterprise_redis/fullchain.crt
TFE_REDIS_CA_CERT_PATH: /etc/ssl/private/terraform-enterprise_redis/fullchain.crt
volumes:
- type: bind
source: ./certs_redis
target: /etc/ssl/private/terraform-enterprise_redis Starting with version 1.0.1 (September 2025), the full chain is no longer required. The default client certificate is sufficient.
Solutions:
Upgrade to Terraform Enterprise 1.0.1 (September 2025) or later to use the default client certificate.
Workaround:
For the effected releases (v202506-1, v202507-1, and 1.0.0) use the full chain for the client and CA certificate
Outcome
Ability to use a Redis environment using mTLS.
Additional Information
Redis mTLS settings for Terraform Enterprise can be found here.