tls_self_signed_cert can't infer RSA from tls_private_key generated pem

[geekzter]

Terraform CLI and Provider Versions

Terraform v1.1.9
on darwin_arm64

• provider registry.terraform.io/hashicorp/tls v3.4.0

Terraform Configuration

terraform {
  required_providers {
    # tls                        = "= 3.1" # Works
    # BUG: error creating certificate: x509: provided PrivateKey doesn't match parent's PublicKey
    tls                        = "= 3.4" # Does not work
  }
  required_version             = "~> 1.0"
}

resource tls_private_key root_cert {
  algorithm                    = "RSA"
  rsa_bits                     = "2048"
}

resource tls_self_signed_cert root_cert {
  allowed_uses                 = [
                                "cert_signing",
                                "client_auth",
                                "digital_signature",
                                "key_encipherment",
                                "server_auth",
  ]
  early_renewal_hours          = 200
  is_ca_certificate            = true
  key_algorithm                = tls_private_key.root_cert.algorithm
  private_key_pem              = tls_private_key.root_cert.private_key_pem
  subject {
    common_name                = var.root_cert_common_name
    organization               = var.organization
  }
  validity_period_hours        = 8766 # 1 year
}

resource tls_private_key client_cert {
  algorithm                    = "RSA"
  rsa_bits                     = "2048"
}

resource tls_cert_request client_cert {
  key_algorithm                = tls_private_key.client_cert.algorithm
  private_key_pem              = tls_private_key.client_cert.private_key_pem
  subject {
    common_name                = var.client_cert_common_name
    organization               = var.organization
  }
}

# BUG: In tls provider 3.2-3.4
#      error creating certificate: x509: provided PrivateKey doesn't match parent's PublicKey
#      Problem inferring key algorithm?
resource tls_locally_signed_cert client_cert {
  allowed_uses                 = [
                                "key_encipherment",
                                "digital_signature",
                                "server_auth",
                                "client_auth",
  ]
  ca_cert_pem                  = tls_self_signed_cert.root_cert.cert_pem
  ca_key_algorithm             = tls_private_key.client_cert.algorithm
  ca_private_key_pem           = tls_private_key.client_cert.private_key_pem
  cert_request_pem             = tls_cert_request.client_cert.cert_request_pem
  is_ca_certificate            = true
  validity_period_hours        = 43800
}

Expected Behavior

tls 3.1:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tls_private_key.root_cert: Creating...
tls_private_key.client_cert: Creating...
tls_private_key.client_cert: Creation complete after 0s [id=50303734d62f32ae3d91db34f32730e251e759b1]
tls_private_key.root_cert: Creation complete after 0s [id=3c609511f0414ec0cfb149add8cbb8ac3fcf49b6]
tls_cert_request.client_cert: Creating...
tls_self_signed_cert.root_cert: Creating...
tls_cert_request.client_cert: Creation complete after 0s [id=b56634cf08f471a53883709266bd0376feffd1b8]
tls_self_signed_cert.root_cert: Creation complete after 0s [id=39866038069176733136304060998575903964]
tls_locally_signed_cert.client_cert: Creating...
tls_locally_signed_cert.client_cert: Creation complete after 0s [id=272460349592287067556122483284428943594]

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

Actual Behavior

tls 3.4:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tls_private_key.client_cert: Creating...
tls_private_key.root_cert: Creating...
tls_private_key.root_cert: Creation complete after 1s [id=39afbb9e4e926cb34a8579e024430aa0edf15f62]
tls_self_signed_cert.root_cert: Creating...
tls_self_signed_cert.root_cert: Creation complete after 0s [id=247063103537152762519181184685657872400]
tls_private_key.client_cert: Creation complete after 1s [id=c57db8105813a70c6d738a5a505c368d93a3f783]
tls_cert_request.client_cert: Creating...
tls_cert_request.client_cert: Creation complete after 0s [id=052526d128a478a37510c7636df40d6ba8181862]
tls_locally_signed_cert.client_cert: Creating...
╷
│ Warning: Argument is deprecated
│ 
│   with tls_self_signed_cert.root_cert,
│   on main.tf line 16, in resource "tls_self_signed_cert" "root_cert":
│   16:   key_algorithm                = tls_private_key.root_cert.algorithm
│ 
│ This is now ignored, as the key algorithm is inferred from the `private_key_pem`.
│ 
│ (and 2 more similar warnings elsewhere)
╵
╷
│ Error: error creating certificate: x509: provided PrivateKey doesn't match parent's PublicKey
│ 
│   with tls_locally_signed_cert.client_cert,
│   on main.tf line 42, in resource "tls_locally_signed_cert" "client_cert":
│   42: resource tls_locally_signed_cert client_cert {
│ 
╵

Steps to Reproduce

1. terraform apply

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

Please fix the infer method or re-enable properties that let me do it explicitly (and are now ignored). For now, I pinned to 3.1.

Code of Conduct

• I agree to follow this project's Code of Conduct

[geekzter]

Never mind, this line fixed it:

ca_private_key_pem           = tls_private_key.root_cert.private_key_pem

It took the wrong key before, hence the error. I'll close the issue

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.