EPR running on HTTPS using encrypted private key supported?

[mencl-elastic]

Trying to get an EPR container deployment running in running in docker/podman using SSL/TLS using an encrypted private key. I know the air gapped documentation at https://www.elastic.co/guide/en/fleet/current/air-gapped.html shows how to do it with plaintext private key, but have not found anything for an encrypted key.

docker run -it -p 443:443 \
  -v /etc/ssl/package-registry.key:/etc/ssl/package-registry.key:ro \
  -v /etc/ssl/package-registry.crt:/etc/ssl/package-registry.crt:ro \
  -e EPR_ADDRESS=0.0.0.0:443 \
  -e EPR_TLS_KEY=/etc/ssl/package-registry.key \
  -e EPR_TLS_CERT=/etc/ssl/package-registry.crt \
  docker.elastic.co/package-registry/distribution:8.15.1

Running podman as shown results in the container starting, but then reporting:

{"log.level":"fatal","@timestamp":"2024-09-12T19:46:40.915Z","log.origin":{"function":"main.main.func1","file.name":"package-registry/main.go","file.line":162},"message":"error occurred while serving","error":{"message":"tls: failed to parse private key"},"ecs.version":"1.6.0"}

If I replace the key with a plaintext private key, the same docker/podman run executes as expected. Is there an environment variable to send the encryption key to EPR so the key may be decrypted and used as intended? EPR_TLS_KEY_PASSPHRASE??

[jsoriano]

Thanks for opening this issue. This is not supported at the moment. As workaround you would need to provide a plaintext private key, or use a reverse proxy that has support for this in front of the package registry.