Rundeck SSL Configuration

Rundeck is an OSS that automate routine operational procedures in data center or cloud environments. Here is the blog to configure SSL on Rundeck for secure transaction within intranet and internet. This blog is a reference to configure SSL for Rundeck running on Linux (CentOS/Debian)

Phase 1:

Steps to generate self-signed PKCS#12 SSL certificate and export its keys:

  • Create PKCS#12 keystore (.pfx file)
#keytool -genkeypair -keystore myKeystore.pfx -storetype PKCS12 -storepass password -alias KEYSTORE_ENTRY -keyalg RSA -keysize 2048 -validity 99999 -dname "CN=My SSL Certificate, OU=Sustaining, O=Virtustream, L=McLean, ST=VA, C=US" -ext san=dns:servername.com,dns:localhost,ip:127.0.0.1,ip:xx.xx.xx.xx

Replace servername.com with FQDN of the Rundeck server and xx with Rundeck server IP address

  • Create the public certificate
#keytool -exportcert -keystore myKeystore.pfx -storepass <password> -alias KEYSTORE_ENTRY -rfc -file public-certificate.pem

Change the <password> with the actual password

  • Export the private key
#openssl pkcs12 -in myKeystore.pfx -password pass:<password> -nodes -nocerts -out private-key.key

Change the <password> with the actual password

  • Export the public key from the private key
#openssl rsa -in private-key.key -pubout > public-key.pub
  • Convert PEM certificate to DER format with .cer extension
#openssl x509 -inform PEM -in public-certificate.pem -outform DER -out certificate.cer

Phase – 2:

  • Copy .pfx and .cer file in /etc/rundeck/ssl {Reuires SUDO or root level of access}
#sudo cp *.pfx *.cer /etc/rundeck/ssl

Create a keystore for the rundeck.pfx certificate

#keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

Retrieve the alias from the PKCS #12 file

#keytool -v -list -storetype pkcs12 -keystore /etc/rundeck/ssl/myKeystore.pfx

** Ouput ** >> Alias name: keystore_entry

  • Import the Certificate and Private Key into the Java keystore
#keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /etc/rundeck/ssl/keystore -srckeystore /etc/rundeck/ssl/myKeystore.pfx -srcstoretype PKCS12 -srcstorepass password -srcalias keystore_entry -alias keystore_entry
  • Create a keystore for the ca.cer certificate authority
#keytool -keystore /etc/rundeck/ssl/ca -alias rundeck -genkey -keyalg RSA -keypass password -storepass password
  • Add the CA cert to the CA keystore
#keytool -import -alias ca -file /etc/rundeck/ssl/certificate.cer -keystore /etc/rundeck/ssl/ca -storepass password
  • Encrypt the password
#java -cp /var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar org.eclipse.jetty.util.security.Password root password

**Output**

OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
MD5:5f4dcc3b5aa765d61d8327deb882cf99
CRYPT:rox7Jdqy.byUU

Replace /var/lib/rundeck/boorstrap with the actual path as per your install base. Above command generate encrypted password of different formats. Use OBF encrypted password

  • Configure Rundeck /etc/rundeck/ssl/ssl.properties

keystore=/etc/rundeck/ssl/keystore
keystore.password=<password>
key.password=<password>
truststore=/etc/rundeck/ssl/keystore
truststore.password=<password>

Replace the <password> with OBF format encrypted password generated from the previous step

  • Edit /etc/rundeck/profile

Comment below lines

if [ -n “$RUNDECK_WITH_SSL” ] ; then
RDECK_SSL_OPTS=”${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}”
RDECK_JVM=”$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}”
fi

Add below line after the above commented lines

RDECK_JVM=”$RDECK_JVM -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT}”

  • Configure rundeck-config.properties

Edit the file /etc/rundeck/rundeck-config.properties. Find and edit the line. Note change http to https AND change port 4440 to 4443.

grails.serverURL=https://yourdomain.com:4443

  • Restart the rundeckd service and you ought to be able to connect over https
  • At this point you should be able to hit https://<FQDN or IP>:4443 and make a secure connection

For troubleshooting look at the /var/log/rundeck/service.log.

References:

Generate Keys

Convert Certificates

Steps to SSL configuration

Password Encryption

Advertisements

5 thoughts on “Rundeck SSL Configuration

  1. Hi Vinsumi, I installed Rundeck from RPM so I’m not sure what to do on your “#java -cp /var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar org.eclipse.jetty.util.security.Password root password” step. The only item in my “/var/lib/rundeck/bootstrap” folder is “rundeck-3.0.9-20181127.war”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s