After this PR, the following error will be encountered
failed to parse certificate or private key defined in assertion_key_pair\n\tx509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)
We probably ought to re-instate the old retry behaviour as this could cause customers to be locked out of their clusters upon an upgrade.
Prior to https://github.com/gravitational/teleport/pull/43381, we would gracefully handle cases where a PKCS8 encoded private key was within a
RSA PRIVATE KEY
(which usually indicates PKCS1) PEM block.After this PR, the following error will be encountered
We probably ought to re-instate the old retry behaviour as this could cause customers to be locked out of their clusters upon an upgrade.
As to why a PKCS8 key is inside what is usually the PKCS1 header, I'm unsure. Some threads across the internet seem to suggest that this was potentially a bug/behaviour of the
openssl
CLI for some time (https://superuser.com/questions/606215/openssl-pkcs8-default-format-gives-rsa-private-key)Workaround:
RSA PRIVATE KEY
inassertion_key_pair
PEM header withPRIVATE KEY