There seems to be a problem dealing with encrypted private keys generated by openssl 1.x. The ones generated by openssl 0.9x work.
You can tell the difference in the first few lines of the file.
Works:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5C4A07D0414173B0
Doesn't work:
-----BEGIN ENCRYPTED PRIVATE KEY-----
For now the only workaround is to convert your private key to the old format:
openssl pkcs8 -in private.key -traditional -out plain.pem
openssl rsa -aes256 -in plain.pem -out encrypted.key
Remember to remove plain.pem as it is not encrypted.