Java unable to find valid certification path to requested target after upgrade to 2.7.1

[Ryan S Di Francesco]

In December I upgraded our Rundeck development instance from version 2.6.9 to 2.7.1 and authentication to our Active Directory immediately broke.  The service.log file reports the following:

javax.naming.CommunicationException: simple bind failed: FQDN:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
...

I just tried updating to 2.7.2 yet the same error results.  I can confirm that our Active Directory is still servicing requests properly as our Rundeck production instance (2.6.9) is still authenticating successfully.  Please advise.  Thanks.

[Greg Schueler]

Hi Ryan,

It seems like your SSL certificate configuration is no longer working.

Note that the /etc/rundeck/profile file changed significantly between 2.6.9 and 2.7.x.  The new profile file sources a /etc/sysconfig/rundeckd file (if you have one).  You should create that file and put any modifications to the values in the /etc/rundeck/profile there.

If you are upgrading using yum the new /etc/rundeck/profile will *not* be updated if you have modified it.  Rpm will not overwrite it.  You will have to replace it and apply your modifications to the /etc/sysconfig/rundeckd file

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/75aabe4e-b954-4297-9784-93d591dd72b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ryan S Di Francesco]

Thanks Greg, that got Rundeck back online now. I misread the documentation initially thinking this change only applied to Debian.

One odd issue I noticed after creating/configuring the /etc/sysconfig/rundeckd file.  Initially I added the following 4 lines which were originally customized in /etc/rundeck/profile:

RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -server}"
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-activedirectory.conf}"
LOGIN_MODULE="${LOGIN_MODULE:-activedirectory}"
RUNDECK_WITH_SSL=true

However, my login attempts would fail with the following:

HTTP ERROR: 500

Problem accessing /user/j_security_check. Reason:

    java.io.IOException: /jaas-activedirectory.conf (No such file or directory)

Only after I added the following line to /etc/sysconfig/rundeckd would everything work properly.  But, this line is the default setting and not something I've customized so it's odd I still had to add it to my custom file even though it already existed in the default /etc/rundeck/profile:

RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}"

Not a showstopper, but, did find that odd.  Thanks again.