Unable to run Rundeck in SSL mode

[Kobi Rosenstein]

I posted on stackoverflow first as I saw here to do but I got no answer so I am hoping someone sees it here as well. SO question for reference:

https://stackoverflow.com/questions/60912174/i-cannot-get-rundeck-to-start-with-ssl

I installed Rundeck on a new RHEL 7.7 box, using the rpm method. I can access the server just fine with http, but when I follow the directions in the docs, the server is not accessible from browsers or by curling localhost.

The only error I receive is:

WARN SslContextFactory --- [ main] No supported ciphers from [SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,...(many more ciphers) Grails application running at https://localhost:4443 in environment: production curl localhost:4443 curl: (35) Peer reports it experienced an internal error.







Relevant parts of the configuration files are as follows:

/etc/rundeck/profile:

RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \ -Djava.security.auth.login.config=$JAAS_CONF \ -Dloginmodule.name=$LOGIN_MODULE \ -Drdeck.config=$RDECK_CONFIG \ -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \ -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \ -Drundeck.server.serverDir=$RDECK_INSTALL \ -Drdeck.projects=$RDECK_PROJECTS \ -Drdeck.runlogs=$RUNDECK_LOGDIR \ -Drundeck.config.location=$RDECK_CONFIG_FILE \ -Djava.io.tmpdir=$RUNDECK_TEMPDIR \ -Drundeck.server.workDir=$RUNDECK_WORKDIR \ -Dserver.http.port=$RDECK_HTTP_PORT \ -Drdeck.base=$RDECK_BASE \ -Djdk.tls.ephemeralDHKeySize=jdk8 \ -Drundeck.rundeck.jetty.connector.ssl.excludedCipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_DSS_WITH_AES_256_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_DSS_WITH_AES_128_GCM_SHA256" # # Set min/max heap size # RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS" # # SSL Configuration - Uncomment the following to enable. Check SSL.properties for details. # if [ -n "$RUNDECK_WITH_SSL" ] ; then RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} -Dorg.eclipse.jetty.util.ssl.LEVEL=DEBUG" fi

/etc/sysconfig/rundeckd:

export RUNDECK_WITH_SSL=true export RDECK_HTTPS_PORT=4443

If I add export RDECK_JVM_OPTS="-Dserver.ssl.ciphers=SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"to /etc/sysconfig/rundeckd I get the following:

[2020-03-29 09:01:51.533] WARN config --- [ main] Weak cipher suite SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled for SslContextFactory@1456dec8[provider=null,keyStore=file:///etc/rundeck/ssl/keystore,trustStore=file:///etc/rundeck/ssl/truststore] Grails application running at https://localhost:4443 in environment: production curl: (35) Peer reports it experienced an internal error.

Other configurations:

/etc/rundeck/framework.properties:

framework.server.name = server-dns
framework.server.hostname = server-dns
framework.server.port = 4443
framework.server.url = https://server-dns
framework.rundeck.url = https://server-dns

/etc/rundeck/rundeck-config.properties:

grails.serverURL=https://server-dns:4443




keystore and truststore exist, I have attempted both self signed and real crts. I'm at a loss here. I followed all sorts of guides and advice from the internet leading to my current (mis?)configuration.

Thanks in advance.

[Sunil Amperayani]

I did the same, but server does work, unfortunately I do get "Not Secure" while I see from Browser.

How should I solve that ?

For your query, can you try to add this below config and restart rundeck to see if that works ?

framework.server.url = https://server-dns:4443

Try to shutdown any firewall and then see if that works ?

Thanks

[Reiner Acuña]

Hi guys,

Kobl, maybe you need to reference your keystore and truststore in your /etc/rundeck/ssl/ssl.properties file?

I configured an SSL rundeck from scratch in Centos and I leave a little guide:

1.- install Rundeck.

rpm -Uvh https://repo.rundeck.org/latest.rpm

yum install rundeck

2.- create keystore:

keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

2b.- in case you have your own certificate, do below:

If you have .crt and .key files, create a .p12 file:

openssl pkcs12 -export -in YOUR.crt -inkey YOUR.key -out NEW.p12

Convert it to a .jks (also if you have only the .p12 file):

keytool -importkeystore -destkeystore keystore -srckeystore NEW.p12 -srcstoretype pkcs12

3.- copy keystore as truststore.

4.- edit /etc/rundeck/ssl/ssl.properties file:

keystore=/etc/rundeck/ssl/keystore
keystore.password=password
key.password=password
truststore=/etc/rundeck/ssl/truststore
truststore.password=password

5.- edit /etc/rundeck/framework.properties file:

framework.server.port = 4443
framework.server.url = https://localhost:4443

6.- edit /etc/rundeck/rundeck-config.properties file:

grails.serverURL=https://localhost:4443

7.- edit/create /etc/sysconfig/rundeckd file:

export RUNDECK_WITH_SSL=true

8.- start the rundeck service.

systemctl start rundeck

Hi Sunil, that's happening because you're using a self-signed certificate (check the step 2 and 2b), maybe this helps you:

https://www.pico.net/kb/how-do-you-get-chrome-to-accept-a-self-signed-certificate

Hope it helps!

[Kobi Rosenstein]

Thanks, but it still shows me this when I start rundeck:

[2020-03-31 07:58:41.294]  WARN SslContextFactory --- [           main] No supported ciphers from [SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]

Grails application running at https://localhost:4443 in environment: production

[rundeck@servername ~]$ curl https://localhost:4443

curl: (35) Peer reports it experienced an internal error.

Firewall and selinux are both disabled

[Reiner Acuña]

Hi Kobi,

Following my steps and checking your profile file seems that you have a couple of lines that are not included in the default installation (Check the RDECK_JVM).

Also, in your rundeckd file, you're adding SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and this protocol is defined as disabled protocol in your profile file (in your RDECK_JVM definition).

You have more information here:

https://docs.rundeck.com/docs/administration/security/ssl.html#disabling-ssl-protocols

Just in case, i leave the default profile file if you need it:

#########
# Rundeck Profile sourced from /etc/rc.d/init.d/rundeckd
#########
#
# NOTE: DO NOT MODIFY THIS FILE
# It will be replaced when the package is upgraded and your changes will not be saved.
#
# ##################
#
# To override variables in this file, you can instead create a file at:
#
#     # Centos/Redhat default:
#
#     /etc/sysconfig/rundeckd
#
# Or
#
#     # Ubuntu/Debian default:
#
#     /etc/default/rundeckd
#
# which contains exports for any of the variables listed below. E.g.:
#
#     RUNDECK_TEMPDIR=/path/to/tmpdir
#
# That file will be sourced before this one, allowing your exports to take precedence.
#
###############

prog="rundeckd"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
[ -e /etc/default/$prog ] && . /etc/default/$prog

RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}"
RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}"
RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}"
RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}"
RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}"
RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}"
RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}"
RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}"
RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}"
RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}"
RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}"
RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}"
RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}"
RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}"
JAAS_LOGIN="${JAAS_LOGIN:-true}"
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}"
LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}"
RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440}
RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443}


# If no JAVA_CMD, try to find it in $JAVA_HOME
if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then
  JAVA_CMD=$JAVA_HOME/bin/java
  PATH=$PATH:$JAVA_HOME/bin
  export JAVA_HOME
elif [ -z "$JAVA_CMD" ] ; then
  JAVA_CMD=java
fi

# build classpath without lone : that includes .
for jar in $(find $RDECK_INSTALL/cli -name '*.jar') ; do
  CLI_CP=${CLI_CP:+$CLI_CP:}$jar
done
for war in $(find $RDECK_INSTALL/bootstrap -name '*.war') ; do
  EXECUTABLE_WAR=$war
done

RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \
           -Djava.security.auth.login.config=$JAAS_CONF \
           -Dloginmodule.name=$LOGIN_MODULE \
           -Drdeck.config=$RDECK_CONFIG \
           -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
           -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
           -Drundeck.server.serverDir=$RDECK_INSTALL \
           -Drdeck.projects=$RDECK_PROJECTS \
           -Drdeck.runlogs=$RUNDECK_LOGDIR \
           -Drundeck.config.location=$RDECK_CONFIG_FILE \
           -Djava.io.tmpdir=$RUNDECK_TEMPDIR \
           -Drundeck.server.workDir=$RUNDECK_WORKDIR \
           -Dserver.http.port=$RDECK_HTTP_PORT \
           -Drdeck.base=$RDECK_BASE"

#
# Set min/max heap size
#
RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS"
#
# SSL Configuration - Uncomment the following to enable.  Check SSL.properties for details.
#
if [ -n "$RUNDECK_WITH_SSL" ] ; then
  RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT}"

fi

unset JRE_HOME

umask 002

rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -jar $EXECUTABLE_WAR --skipinstall"

Regards!

[Kobi Rosenstein]

Yes, I added the jvm options to try and make things work.. I get the same results on a brand new vm using your steps... Here is my history output (i can post the files too but they contain exactly what you wrote. This happens to me on all new VMs. It feels like I'm missing some critical part of the configuration steps, maybe regarding the ciphers... )

[rundeck@servername ~]$ history  
   26  keytool -importkeystore -destkeystore keystore -srckeystore rundeck.p12 -srcstoretype pkcs12
   27  ll /etc/rundeck/ssl
   28  ll
   29  cp keystore /etc/rundeck/ssl
   30  ll
   31  ll /etc/rundeck/ssl
   32  cp keystore /etc/rundeck/ssl/truststore
   33  sudo vim edit /etc/rundeck/ssl/ssl.properties
   34  sudo vim /etc/rundeck/ssl/ssl.properties
   35  vim /etc/rundeck/framework.properties
   36  sudo vim /etc/rundeck/rundeck-config.properties
   37  vim /etc/sysconfig/rundeckd
   38  sudo vim /etc/sysconfig/rundeckd
   39  systemctl restart rundeck
   40  sudo systemctl restart rundeck
   41  sudo systemctl restart rundeckd
   42  tail -f /var/log/rundeck/service.log
   43  curl https://localhost:4443
   44  sudo setenforce 0
   45  sudo systemctl stop firewalld
   46  curl https://localhost:4443

As for the SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, I explained in my post, I tried adding it as if I don't add it I get :

WARN SslContextFactory --- [ main] No supported ciphers from [SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,...(many more ciphers)

Grails application running at https://localhost:4443 in environment: production curl localhost:4443 curl: (35) Peer reports it experienced an internal error.

[Reiner Acuña]

Hi Kobi,

Just to discard, which JDK version are you using? You can check it doing: java -version

Regards!

---

From: rundeck...@googlegroups.com <rundeck...@googlegroups.com> on behalf of Kobi Rosenstein <kobiros...@gmail.com>
Sent: Tuesday, March 31, 2020 10:10:43 AM
To: rundeck-discuss <rundeck...@googlegroups.com>
Subject: [rundeck] Re: Unable to run Rundeck in SSL mode

 

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/0a037d09-93de-4ff8-bce9-9b8d84a711da%40googlegroups.com.

Reiner Acuña Pisani
Community Support Engineer
Rundeck, Inc.

---

From: rundeck...@googlegroups.com <rundeck...@googlegroups.com> on behalf of Kobi Rosenstein <kobiros...@gmail.com>
Sent: Tuesday, March 31, 2020 10:10:43 AM
To: rundeck-discuss <rundeck...@googlegroups.com>
Subject: [rundeck] Re: Unable to run Rundeck in SSL mode

 

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/0a037d09-93de-4ff8-bce9-9b8d84a711da%40googlegroups.com.

[Kobi Rosenstein]

java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 8.0.6.5 - pxa6480sr6fp5-20200111_02(SR6 FP5))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20200108_436782 (JIT enabled, AOT enabled)
OpenJ9   - 7d1059c
OMR      - d059105
IBM      - c8aee39)
JCL - 20200110_01 based on Oracle jdk8u241-b07

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck...@googlegroups.com.

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck...@googlegroups.com.

[Reiner Acuña]

Hi Kobi,

Can you try with OpenJDK 8? I did a test in RHEL 7.7 on Vagrant (using Virtualbox as provider) and works normally.

[root@rhel7 ~]# tail -f /var/log/rundeck/service.log
[2020-04-01 14:52:59.453]  INFO BootStrap --- [           main] Starting Rundeck 3.2.4-20200318 (2020-03-18) ...
[2020-04-01 14:52:59.458]  INFO BootStrap --- [           main] using rdeck.base config property: /var/lib/rundeck
[2020-04-01 14:52:59.471]  INFO BootStrap --- [           main] loaded configuration: /etc/rundeck/framework.properties
[2020-04-01 14:52:59.532]  INFO BootStrap --- [           main] RSS feeds disabled
[2020-04-01 14:52:59.532]  INFO BootStrap --- [           main] Using jaas authentication
[2020-04-01 14:52:59.536]  INFO BootStrap --- [           main] Preauthentication is disabled
[2020-04-01 14:52:59.659]  INFO BootStrap --- [           main] Rundeck is ACTIVE: executions can be run.
[2020-04-01 14:52:59.733]  WARN BootStrap --- [           main] [Development Mode] Usage of H2 database is recommended only for development and testing
[2020-04-01 14:53:00.003]  INFO BootStrap --- [           main] Rundeck startup finished in 670ms

Grails application running at https://localhost:4443 in environment: production

---

[root@rhel7 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 (Maipo)

Regards!

On Tuesday, March 31, 2020 at 8:36:45 PM UTC-3, Reiner Acuña wrote:

Hi Kobi,

Just to discard, which JDK version are you using? You can check it doing: java -version

Regards!

---

From: rundeck-discuss@googlegroups.com <rundeck-discuss@googlegroups.com> on behalf of Kobi Rosenstein <kobiros...@gmail.com>

Sent: Tuesday, March 31, 2020 10:10:43 AM

To: rundeck-discuss <rundeck-discuss@googlegroups.com>

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/0a037d09-93de-4ff8-bce9-9b8d84a711da%40googlegroups.com.

Reiner Acuña Pisani
Community Support Engineer
Rundeck, Inc.

---

From: rundeck-discuss@googlegroups.com <rundeck-discuss@googlegroups.com> on behalf of Kobi Rosenstein <kobiros...@gmail.com>

Sent: Tuesday, March 31, 2020 10:10:43 AM

To: rundeck-discuss <rundeck-discuss@googlegroups.com>

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.

[Kobi Rosenstein]

Here is my complete steps and configuration (In markdown format).

I have followed exactly these steps on 3 new Azure VMs. No amount of configuration is helping me:

### System info: ###
```
$ uname -a
Linux kobi-rd-1 3.10.0-1062.12.1.el7.x86_64 #(Azure VM)
```

```
$ cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.7 (Maipo)

### Installation:
```
sudo yum install -y java-1.8.0
sudo rpm -Uvh https://repo.rundeck.org/latest.rpm
sudo yum install -y rundeck
sudo service rundeckd start
```
### Configuring keys for ssl ###
```
$ keytool -importkeystore -destkeystore keystore -srckeystore rundeck.p12 -srcstoretype pkcs12
$ ls $(pwd) #(/home/rundeck)
rd_certs.tar      rundeck-ca.crt  rundeck-chain.pem  rundeck-inter.pem   rundeck-server.pem keystore       rundec-key.pem  rundeck-ca.pem  rundeck-inter.crt  rundeck-server.crt  rundeck.p12         truststore

$ cp keystore /etc/rundeck/ssl && cp keystore /etc/rundeck/ssl/truststore
$ ll /etc/rundeck/ssl
total 12
-rw-rw-r--. 1 rundeck rundeck 2732 Mar 31 07:50 keystore
-rw-r-----. 1 rundeck rundeck  161 Mar 31 07:52 ssl.properties
-rw-rw-r--. 1 rundeck rundeck 2732 Mar 31 07:51 truststore
```

### Config files: ###
```
$ vim /etc/rundeck/framework.properties
framework.server.name = server-dns.com
framework.server.hostname = server-dns.com
framework.server.port = 4443
framework.server.url = https://server-dns.com
framework.rundeck.url = https://server-dns.com
:wq

$ vim /etc/rundeck/rundeck-config.properties
grails.serverURL=https://server-dns.com:4443
:wq

vim /etc/sysconfig/rundeckd
export RUNDECK_WITH_SSL=true
export RDECK_HTTPS_PORT=4443
:wq
$ source /etc/sysconfig/rundeckd

$ vim /etc/rundeck/ssl/ssl.properties
keystore=/etc/rundeck/ssl/keystore
keystore.password=secretpw
key.password=secretpw
truststore=/etc/rundeck/ssl/truststore
truststore.password=secretpw
```

### Run the server:
```
$ sudo systemctl restart rundeckd && tail -f /var/log/rundeck/service.log
Session terminated, killing shell...[2020-04-01 15:59:19.400]  INFO BootStrap --- [      Thread-20] Rundeck Shutdown detected
 ...killed.

Configuring Spring Security Core ...
... finished configuring Spring Security Core

[2020-04-01 16:00:24.877]  INFO BootStrap --- [           main] Starting Rundeck 3.2.4-20200318 (2020-03-18) ...
[2020-04-01 16:00:24.883]  INFO BootStrap --- [           main] using rdeck.base config property: /var/lib/rundeck
[2020-04-01 16:00:24.899]  INFO BootStrap --- [           main] loaded configuration: /etc/rundeck/framework.properties
[2020-04-01 16:00:25.011]  INFO BootStrap --- [           main] RSS feeds disabled
[2020-04-01 16:00:25.011]  INFO BootStrap --- [           main] Using jaas authentication
[2020-04-01 16:00:25.018]  INFO BootStrap --- [           main] Preauthentication is disabled
[2020-04-01 16:00:25.209]  INFO BootStrap --- [           main] Rundeck is ACTIVE: executions can be run.
[2020-04-01 16:00:25.298]  WARN BootStrap --- [           main] [Development Mode] Usage of H2 database is recommended only for development and testing
[2020-04-01 16:00:25.787]  INFO BootStrap --- [           main] Rundeck startup finished in 1278ms
[2020-04-01 16:00:26.179]  WARN SslContextFactory --- [           main] No supported ciphers from [SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]

Grails application running at https://localhost:4443 in environment: production

^C

$ curl https://localhost:4443

curl: (35) Peer reports it experienced an internal error.

```

Is there any difference i what I have posted and your steps?

in my etc/rundeck/framework.properties there are a few more lines than in your version?

On Wednesday, April 1, 2020 at 6:11:27 PM UTC+3, Reiner Acuña wrote:

Hi Kobi,

Can you try with OpenJDK 8? I did a test in RHEL 7.7 on Vagrant (using Virtualbox as provider) and works normally.

[root@rhel7 ~]# tail -f /var/log/rundeck/service.log
[2020-04-01 14:52:59.453]  INFO BootStrap --- [           main] Starting Rundeck 3.2.4-20200318 (2020-03-18) ...
[2020-04-01 14:52:59.458]  INFO BootStrap --- [           main] using rdeck.base config property: /var/lib/rundeck
[2020-04-01 14:52:59.471]  INFO BootStrap --- [           main] loaded configuration: /etc/rundeck/framework.properties
[2020-04-01 14:52:59.532]  INFO BootStrap --- [           main] RSS feeds disabled
[2020-04-01 14:52:59.532]  INFO BootStrap --- [           main] Using jaas authentication
[2020-04-01 14:52:59.536]  INFO BootStrap --- [           main] Preauthentication is disabled
[2020-04-01 14:52:59.659]  INFO BootStrap --- [           main] Rundeck is ACTIVE: executions can be run.
[2020-04-01 14:52:59.733]  WARN BootStrap --- [           main] [Development Mode] Usage of H2 database is recommended only for development and testing
[2020-04-01 14:53:00.003]  INFO BootStrap --- [           main] Rundeck startup finished in 670ms
Grails application running at https://localhost:4443 in environment: production

---

[root@rhel7 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 (Maipo)

Regards!

On Tuesday, March 31, 2020 at 8:36:45 PM UTC-3, Reiner Acuña wrote:

Hi Kobi,

Just to discard, which JDK version are you using? You can check it doing: java -version

Regards!

---

From: rundeck...@googlegroups.com <rundeck...@googlegroups.com> on behalf of Kobi Rosenstein <kobiros...@gmail.com>

Sent: Tuesday, March 31, 2020 10:10:43 AM

To: rundeck-discuss <rundeck...@googlegroups.com>

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/0a037d09-93de-4ff8-bce9-9b8d84a711da%40googlegroups.com.

Reiner Acuña Pisani
Community Support Engineer
Rundeck, Inc.

---

From: rundeck...@googlegroups.com <rundeck...@googlegroups.com> on behalf of Kobi Rosenstein <kobiros...@gmail.com>

Sent: Tuesday, March 31, 2020 10:10:43 AM

To: rundeck-discuss <rundeck...@googlegroups.com>

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck...@googlegroups.com.

[Reiner Acuña]

Hi Kobi,

I tried again totally from scratch to test (under vagrant RHEL 7.7 + OpenJDK 8, I used a self-signed cert).

1. As root user, update whole system:

# yum -y update

2. Install OpenJDK:

# yum install java-1.8.0

3. Add the Rundeck repository:

# rpm -Uvh https://repo.rundeck.org/latest.rpm

4. Install Rundeck:

# yum install rundeck

5. Generate the .pem file:

# openssl req -x509 -newkey rsa:4096 -keyout rundeck.pem -out rundeck.pem -days 365

6. Convert to .p12 format:

# openssl pkcs12 -export -in rundeck.pem -out rundeck.p12

7. Create the keystore:

# keytool -importkeystore -destkeystore /etc/rundeck/ssl/keystore -srckeystore rundeck.p12 -srcstoretype pkcs12

8. Copy keystore as truststore:

# cp /etc/rundeck/ssl/keystore /etc/rundeck/ssl/truststore

9. Edit the ssl.properties file (at /etc/rundeck/ssl path):

keystore=/etc/rundeck/ssl/keystore
keystore.password=yourpassword
key.password=yourpassword
truststore=/etc/rundeck/ssl/truststore
truststore.password=yourpassword

10. Edit the following line on rundeck-config.properties file (at /etc/rundeck path):

grails.serverURL=https://yourhost:4443

11. Edit the following lines on framework.properties file (at /etc/rundeck path):

framework.server.name = yourhost
framework.server.hostname = yourhost
framework.server.port = 4443
framework.server.url = https://yourhost:4443

12. Create/edit rundeckd file (at /etc/defaults path) with the following content:

export RUNDECK_WITH_SSL=true

13. Enable and start Rundeck service:

# systemctl enable rundeckd; systemctl start rundeckd

14. Test with cURL:

$ curl -k -I https://yourhost:4443/user/login

HTTP/1.1 200 OK
Date: Wed, 01 Apr 2020 21:32:16 GMT
X-Frame-Options: deny
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none' ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src * ; font-src 'self' data: ; connect-src 'self' https://api.rundeck.com ; form-action 'self' ;
Set-Cookie: JSESSIONID=node0jkm1iiulxhyy1aruaqsy4nise16.node0; Path=/; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Content-Type: text/html;charset=utf-8
Content-Length: 6348

Do not edit the profile file (and as you see, the profile file isn't involved in all the above process), all configuration that you need to pass to JVM needs to be passed through rundeckd file (at /etc/defaults/ path). Take a look at this:

https://docs.rundeck.com/docs/administration/configuration/system-properties.html#rpm-and-deb

Hope it helps!

[Kobi Rosenstein]

Thanks. Unfortunately, even copy pasting your lines exactly, even tried using a selfsigned cert as you did, to rule out the possibility of a cert error. It did not help. I still receive:

curl: (35) Peer reports it experienced an internal error.

The only information i found online is "this usually happens when tls is outdated and you need to wait for an update"

This is the 4th server this is happening on.

The only guess I have is that it's a problem with Azure...

I think I'll keep trying  and also try other ways, maybe with the docker, or with nginx/apache somehow. I already tried once with nginx but I think my lack of knowledge is a problem there :)

...