Trusting a self signed SSL cert for the resource provider

2,177 views
Skip to first unread message

Marcello de Sousa

unread,
Aug 29, 2011, 6:03:32 PM8/29/11
to rundeck...@googlegroups.com
As requested by mlei @ #rundeck IRC channel, I'm posting here what I did to
be able to use a resource provider through SSL (with a self-signed cert) :

$ keytool -importcert -file myserver.crt -keystore
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts
-storepass changeit
(Example from a Centos6 machine.)

Adding it to /etc/rundeck/ssl/truststore didn't work and I was getting:

"Error updating node resources file for project examples:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target"

It might help someone else...

Cheers,
Marcello

Noah Campbell

unread,
Aug 29, 2011, 6:23:10 PM8/29/11
to rundeck...@googlegroups.com
If you configure the rundeck java process to use /etc/rundeck/ssl/truststore instead of the default, it will work. Modifying the cacerts in /usr/lib/jvm/... is probably not the most secure idea. If you need the root certs you can always keytool --importcerts from cacert.

-Noah

Noah Campbell
415-513-3545
noahca...@gmail.com

Marcello de Sousa

unread,
Aug 29, 2011, 6:37:34 PM8/29/11
to rundeck...@googlegroups.com
Hi Noah,

And how can I do it ? I've installed it from RPM, so I would assume it was
already configured like that.

Here is what I have in my /etc/rundeck/profile :

-----8<---knip----8<------
#
# SSL Configuration - Uncomment the following to enable. Check
SSL.properties for details.
#
export RDECK_JVM="$RDECK_JVM
-Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties
-Dserver.https.port=4443"

export RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=$RDECK_BASE/ssl/truststore
-Djavax.net.ssl.trustStoreType=jks
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
-----8<---knip----8<------

Extra info:
# ps ax |grep java
2763 pts/1 S 0:00 runuser -l rundeck -c /usr/bin/java
-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf
?-Dloginmodule.name=RDpropertyfilelogin ?-Drdeck.config=/etc/rundeck
?-Drdeck.base=/etc/rundeck ?-Drundeck.server.configDir=/etc/rundeck
?-Dserver.datastore.path=/var/lib/rundeck/data
?-Drundeck.server.serverDir=/var/lib/rundeck
?-Drdeck.projects=/var/rundeck/projects
?-Drdeck.runlogs=/var/lib/rundeck/logs
?-Drundeck.config.name=/etc/rundeck/rundeck-config.properties -Xmx1024m
-Xms256m -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties
-Dserver.https.port=4443 -cp
/var/lib/rundeck/bootstrap/jetty-6.1.21.jar:/var/lib/rundeck/bootstrap/servl
et-api-2.5-20081211.jar:/var/lib/rundeck/bootstrap/jetty-naming-6.1.21.jar:/
var/lib/rundeck/bootstrap/rundeck-server-1.3.0.jar:/var/lib/rundeck/bootstra
p/jetty-plus-6.1.21.jar:/var/lib/rundeck/bootstrap/jetty-util-6.1.21.jar::/e
tc/rundeck com.dtolabs.rundeck.RunServer /etc/rundeck 4440
2768 ? Ssl 1:56 /usr/bin/java
-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf
-Dloginmodule.name=RDpropertyfilelogin -Drdeck.config=/etc/rundeck
-Drdeck.base=/etc/rundeck -Drundeck.server.configDir=/etc/rundeck
-Dserver.datastore.path=/var/lib/rundeck/data
-Drundeck.server.serverDir=/var/lib/rundeck
-Drdeck.projects=/var/rundeck/projects -Drdeck.runlogs=/var/lib/rundeck/logs
-Drundeck.config.name=/etc/rundeck/rundeck-config.properties -Xmx1024m
-Xms256m -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties
-Dserver.https.port=4443 -cp
/var/lib/rundeck/bootstrap/jetty-6.1.21.jar:/var/lib/rundeck/bootstrap/servl
et-api-2.5-20081211.jar:/var/lib/rundeck/bootstrap/jetty-naming-6.1.21.jar:/
var/lib/rundeck/bootstrap/rundeck-server-1.3.0.jar:/var/lib/rundeck/bootstra
p/jetty-plus-6.1.21.jar:/var/lib/rundeck/bootstrap/jetty-util-6.1.21.jar::/e
tc/rundeck com.dtolabs.rundeck.RunServer /etc/rundeck 4440

Cheers,
Marcello

Noah Campbell

unread,
Aug 29, 2011, 6:53:30 PM8/29/11
to rundeck...@googlegroups.com
The RDECK_SSL_OPTS are provided in /etc/rundeck/profile but not added to command line. That's an extra step you need to take. It could definitely be clearer as to what needs to be done.

-Noah

Noah Campbell
415-513-3545
noahca...@gmail.com

Mark Chaney

unread,
Aug 9, 2013, 12:50:41 PM8/9/13
to rundeck...@googlegroups.com
I known this is an old post, but it appears to still apply. Im still completely lost on how I can get Rundeck to work with the foreman self signed ssl cert when trying to use it as a resource.

Jedblack

unread,
Nov 3, 2014, 5:49:06 PM11/3/14
to rundeck...@googlegroups.com
Mark,

Its trying to validate foreman's SSL cert chain(s),  Which essentially means you need to add the foreman ssl cert itself(and possibly the foreman CA cert) to the rundeck truststore.

The truststore is local under /etc/rundeck/ssl/truststore if you used the RPM install option.  To add a cert to that truststore you would run something like this ..

keytool -import -alias foreman_cert -file /some/directory/foreman.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
keytool -import -alias foreman_ca_cert -file /some/directory/foreman-CA.pem -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
Reply all
Reply to author
Forward
0 new messages