Trusting a self signed SSL cert for the resource provider
Marcello de Sousa
be able to use a resource provider through SSL (with a self-signed cert) :
$ keytool -importcert -file myserver.crt -keystore
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts
-storepass changeit
(Example from a Centos6 machine.)
Adding it to /etc/rundeck/ssl/truststore didn't work and I was getting:
"Error updating node resources file for project examples:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target"
It might help someone else...
Cheers,
Marcello
Noah Campbell
-Noah
Noah Campbell
415-513-3545
noahca...@gmail.com
Marcello de Sousa
And how can I do it ? I've installed it from RPM, so I would assume it was
already configured like that.
Here is what I have in my /etc/rundeck/profile :
-----8<---knip----8<------
#
# SSL Configuration - Uncomment the following to enable. Check
SSL.properties for details.
#
export RDECK_JVM="$RDECK_JVM
-Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties
-Dserver.https.port=4443"
export RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=$RDECK_BASE/ssl/truststore
-Djavax.net.ssl.trustStoreType=jks
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
-----8<---knip----8<------
Extra info:
# ps ax |grep java
2763 pts/1 S 0:00 runuser -l rundeck -c /usr/bin/java
-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf
?-Dloginmodule.name=RDpropertyfilelogin ?-Drdeck.config=/etc/rundeck
?-Drdeck.base=/etc/rundeck ?-Drundeck.server.configDir=/etc/rundeck
?-Dserver.datastore.path=/var/lib/rundeck/data
?-Drundeck.server.serverDir=/var/lib/rundeck
?-Drdeck.projects=/var/rundeck/projects
?-Drdeck.runlogs=/var/lib/rundeck/logs
?-Drundeck.config.name=/etc/rundeck/rundeck-config.properties -Xmx1024m
-Xms256m -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties
-Dserver.https.port=4443 -cp
/var/lib/rundeck/bootstrap/jetty-6.1.21.jar:/var/lib/rundeck/bootstrap/servl
et-api-2.5-20081211.jar:/var/lib/rundeck/bootstrap/jetty-naming-6.1.21.jar:/
var/lib/rundeck/bootstrap/rundeck-server-1.3.0.jar:/var/lib/rundeck/bootstra
p/jetty-plus-6.1.21.jar:/var/lib/rundeck/bootstrap/jetty-util-6.1.21.jar::/e
tc/rundeck com.dtolabs.rundeck.RunServer /etc/rundeck 4440
2768 ? Ssl 1:56 /usr/bin/java
-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf
-Dloginmodule.name=RDpropertyfilelogin -Drdeck.config=/etc/rundeck
-Drdeck.base=/etc/rundeck -Drundeck.server.configDir=/etc/rundeck
-Dserver.datastore.path=/var/lib/rundeck/data
-Drundeck.server.serverDir=/var/lib/rundeck
-Drdeck.projects=/var/rundeck/projects -Drdeck.runlogs=/var/lib/rundeck/logs
-Drundeck.config.name=/etc/rundeck/rundeck-config.properties -Xmx1024m
-Xms256m -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties
-Dserver.https.port=4443 -cp
/var/lib/rundeck/bootstrap/jetty-6.1.21.jar:/var/lib/rundeck/bootstrap/servl
et-api-2.5-20081211.jar:/var/lib/rundeck/bootstrap/jetty-naming-6.1.21.jar:/
var/lib/rundeck/bootstrap/rundeck-server-1.3.0.jar:/var/lib/rundeck/bootstra
p/jetty-plus-6.1.21.jar:/var/lib/rundeck/bootstrap/jetty-util-6.1.21.jar::/e
tc/rundeck com.dtolabs.rundeck.RunServer /etc/rundeck 4440
Cheers,
Marcello
Noah Campbell
-Noah
Noah Campbell
415-513-3545
noahca...@gmail.com
Mark Chaney
Jedblack
Its trying to validate foreman's SSL cert chain(s), Which essentially means you need to add the foreman ssl cert itself(and possibly the foreman CA cert) to the rundeck truststore.
The truststore is local under /etc/rundeck/ssl/truststore if you used the RPM install option. To add a cert to that truststore you would run something like this ..
keytool -import -alias foreman_cert -file /some/directory/foreman.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
keytool -import -alias foreman_ca_cert -file /some/directory/foreman-CA.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin