Error creating TLS secret
Environment
- Red Hat OpenShift on AWS [ROSA]
- 4.x
- Red Hat OpenShift Dedicated [OSD]
- 4.x
- Red Hat OpenShift on Azure [ARO]
- 4.x
- Red Hat OpenShift Container Platform [OCP]
- 4.x
Issue
When creating a secret for a TLS certificate the following error is thrown.
$ oc create secret tls <name>-tls --cert=fullchain.pem --key=privkey.pem -n <my_project>
[spec.tls.key: Invalid value: "redacted key data": unrecognized PEM block ENCRYPTED PRIVATE KEY, spec.tls.key: Invalid value: "redacted key data": tls: failed to parse private key]
Resolution
This error is caused by the private PEM key file being encrypted. To resolve the error the private key needs to un-encrypted using the following command
openssl rsa -in privkey.pem -out unencrypt_privkey.pem
Re-run the failed command using the new un-encrypted file.
The un-encrypted file can be deleted once the command completes successfully.
Root Cause
The private keys are stored encrypted for security reasons, but they need to be decrypted before the they can be loaded as a secret into OCP
Diagnostic Steps
View the private key PEM file used in the original command that caused the error. It will be encrypted.
-----BEGIN ENCRYPTED PRIVATE KEY-----
[...]
-----END ENCRYPTED PRIVATE KEY-----
After running the openssl command the the key file should indicate that it is not encrypted.
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments