Rudder

CFEngine removed the passphrase on its private key between 3.15 and 1.18:

Private keys generated by cf-key are no longer encrypted. Private key files encrypted with a broken cipher and default hard coded passphrase provide no real security, and is only an inconvenience. Maybe it was intended to add a password prompt later, but it's been 10 years now, and the cipher and passphrase remain untouched. The function which reads keys still supports both encrypted and unencrypted keys, it will decrypt if necessary.

So on 7.0 new installs, apache can use the private key, but not with previous keys, kept when migrating from pre-7.0.

We can just remove the passphrase as a migration step to ensure apache can read the key.

It is not a problem for the agent as all servers upgraded in 7.0 will have a 3.18 agent.