Trouble enabling TLS with a self-signed, password-protected certificate

Using vault v1.8.1. I generated a certificate via the following:

openssl req -x509 -newkey rsa:4096 -keyout vault-server-cert-key.pem -out vault-server-cert.pem -days 365

and updated my config.hcl as follows:

listener "tcp" {
  address     = ""
  tls_disable = "false"
  tls_cert_file = "/path/to/vault-config/ssl/vault-server-cert.pem"
  tls_key_file = "/path/to/vault-config/ssl/vault-server-cert-key.pem"

When I start the server (under the same user), it exits with:

Error parsing listener configuration.
Error initializing listener of type tcp: error loading TLS cert: tls: failed to parse private key

I’ve found instances of a couple of others raising this same issue, but they always resolved it by removing password protection from the private key via -nodes. I was wondering if there’s some way to resolve this while retaining password protection.

I have this come up once before and the result was the same, remove the password but I also found this: Run vault as a service with password protected private key · Issue #3844 · hashicorp/vault · GitHub so try it and see if it works.

That person is having a different issue (he wanted to provide the password via a method other than tty)