tls_self_signed_cert can't infer RSA from tls_private_key generated pem
Closed this issue · 2 comments
geekzter commented
Terraform CLI and Provider Versions
Terraform v1.1.9
on darwin_arm64
- provider registry.terraform.io/hashicorp/tls v3.4.0
Terraform Configuration
terraform {
required_providers {
# tls = "= 3.1" # Works
# BUG: error creating certificate: x509: provided PrivateKey doesn't match parent's PublicKey
tls = "= 3.4" # Does not work
}
required_version = "~> 1.0"
}
resource tls_private_key root_cert {
algorithm = "RSA"
rsa_bits = "2048"
}
resource tls_self_signed_cert root_cert {
allowed_uses = [
"cert_signing",
"client_auth",
"digital_signature",
"key_encipherment",
"server_auth",
]
early_renewal_hours = 200
is_ca_certificate = true
key_algorithm = tls_private_key.root_cert.algorithm
private_key_pem = tls_private_key.root_cert.private_key_pem
subject {
common_name = var.root_cert_common_name
organization = var.organization
}
validity_period_hours = 8766 # 1 year
}
resource tls_private_key client_cert {
algorithm = "RSA"
rsa_bits = "2048"
}
resource tls_cert_request client_cert {
key_algorithm = tls_private_key.client_cert.algorithm
private_key_pem = tls_private_key.client_cert.private_key_pem
subject {
common_name = var.client_cert_common_name
organization = var.organization
}
}
# BUG: In tls provider 3.2-3.4
# error creating certificate: x509: provided PrivateKey doesn't match parent's PublicKey
# Problem inferring key algorithm?
resource tls_locally_signed_cert client_cert {
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"client_auth",
]
ca_cert_pem = tls_self_signed_cert.root_cert.cert_pem
ca_key_algorithm = tls_private_key.client_cert.algorithm
ca_private_key_pem = tls_private_key.client_cert.private_key_pem
cert_request_pem = tls_cert_request.client_cert.cert_request_pem
is_ca_certificate = true
validity_period_hours = 43800
}
Expected Behavior
tls 3.1:
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
tls_private_key.root_cert: Creating...
tls_private_key.client_cert: Creating...
tls_private_key.client_cert: Creation complete after 0s [id=50303734d62f32ae3d91db34f32730e251e759b1]
tls_private_key.root_cert: Creation complete after 0s [id=3c609511f0414ec0cfb149add8cbb8ac3fcf49b6]
tls_cert_request.client_cert: Creating...
tls_self_signed_cert.root_cert: Creating...
tls_cert_request.client_cert: Creation complete after 0s [id=b56634cf08f471a53883709266bd0376feffd1b8]
tls_self_signed_cert.root_cert: Creation complete after 0s [id=39866038069176733136304060998575903964]
tls_locally_signed_cert.client_cert: Creating...
tls_locally_signed_cert.client_cert: Creation complete after 0s [id=272460349592287067556122483284428943594]
Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
Actual Behavior
tls 3.4:
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
tls_private_key.client_cert: Creating...
tls_private_key.root_cert: Creating...
tls_private_key.root_cert: Creation complete after 1s [id=39afbb9e4e926cb34a8579e024430aa0edf15f62]
tls_self_signed_cert.root_cert: Creating...
tls_self_signed_cert.root_cert: Creation complete after 0s [id=247063103537152762519181184685657872400]
tls_private_key.client_cert: Creation complete after 1s [id=c57db8105813a70c6d738a5a505c368d93a3f783]
tls_cert_request.client_cert: Creating...
tls_cert_request.client_cert: Creation complete after 0s [id=052526d128a478a37510c7636df40d6ba8181862]
tls_locally_signed_cert.client_cert: Creating...
╷
│ Warning: Argument is deprecated
│
│ with tls_self_signed_cert.root_cert,
│ on main.tf line 16, in resource "tls_self_signed_cert" "root_cert":
│ 16: key_algorithm = tls_private_key.root_cert.algorithm
│
│ This is now ignored, as the key algorithm is inferred from the `private_key_pem`.
│
│ (and 2 more similar warnings elsewhere)
╵
╷
│ Error: error creating certificate: x509: provided PrivateKey doesn't match parent's PublicKey
│
│ with tls_locally_signed_cert.client_cert,
│ on main.tf line 42, in resource "tls_locally_signed_cert" "client_cert":
│ 42: resource tls_locally_signed_cert client_cert {
│
╵
Steps to Reproduce
terraform apply
How much impact is this issue causing?
Medium
Logs
No response
Additional Information
Please fix the infer method or re-enable properties that let me do it explicitly (and are now ignored). For now, I pinned to 3.1.
Code of Conduct
- I agree to follow this project's Code of Conduct
geekzter commented
Never mind, this line fixed it:
ca_private_key_pem = tls_private_key.root_cert.private_key_pem
It took the wrong key before, hence the error. I'll close the issue
github-actions commented
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.