Rundeck is an OSS that automate routine operational procedures in data center or cloud environments. Here is the blog to configure SSL on Rundeck for secure transaction within intranet and internet. This blog is a reference to configure SSL for Rundeck running on Linux (CentOS/Debian)
Phase 1:
Steps to generate self-signed PKCS#12 SSL certificate and export its keys:
- Create PKCS#12 keystore (.pfx file)
#keytool -genkeypair -keystore myKeystore.pfx -storetype PKCS12 -storepass password -alias KEYSTORE_ENTRY -keyalg RSA -keysize 2048 -validity 99999 -dname "CN=My SSL Certificate, OU=Sustaining, O=Virtustream, L=McLean, ST=VA, C=US" -ext san=dns:servername.com,dns:localhost,ip:127.0.0.1,ip:xx.xx.xx.xx
Replace servername.com with FQDN of the Rundeck server and xx with Rundeck server IP address
- Create the public certificate
#keytool -exportcert -keystore myKeystore.pfx -storepass <password> -alias KEYSTORE_ENTRY -rfc -file public-certificate.pem
Change the <password> with the actual password
- Export the private key
#openssl pkcs12 -in myKeystore.pfx -password pass:<password> -nodes -nocerts -out private-key.key
Change the <password> with the actual password
- Export the public key from the private key
#openssl rsa -in private-key.key -pubout > public-key.pub
- Convert PEM certificate to DER format with .cer extension
#openssl x509 -inform PEM -in public-certificate.pem -outform DER -out certificate.cer
Phase – 2:
- Copy .pfx and .cer file in /etc/rundeck/ssl {Reuires SUDO or root level of access}
#sudo cp *.pfx *.cer /etc/rundeck/ssl
Create a keystore for the rundeck.pfx certificate
#keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password
Retrieve the alias from the PKCS #12 file
#keytool -v -list -storetype pkcs12 -keystore /etc/rundeck/ssl/myKeystore.pfx
** Ouput ** >> Alias name: keystore_entry
- Import the Certificate and Private Key into the Java keystore
#keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /etc/rundeck/ssl/keystore -srckeystore /etc/rundeck/ssl/myKeystore.pfx -srcstoretype PKCS12 -srcstorepass password -srcalias keystore_entry -alias keystore_entry
- Create a keystore for the ca.cer certificate authority
#keytool -keystore /etc/rundeck/ssl/ca -alias rundeck -genkey -keyalg RSA -keypass password -storepass password
- Add the CA cert to the CA keystore
#keytool -import -alias ca -file /etc/rundeck/ssl/certificate.cer -keystore /etc/rundeck/ssl/ca -storepass password
- Encrypt the password
#java -cp /var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar org.eclipse.jetty.util.security.Password root password
**Output**
OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
MD5:5f4dcc3b5aa765d61d8327deb882cf99
CRYPT:rox7Jdqy.byUU
Replace /var/lib/rundeck/boorstrap with the actual path as per your install base. Above command generate encrypted password of different formats. Use OBF encrypted password
- Configure Rundeck /etc/rundeck/ssl/ssl.properties
keystore=/etc/rundeck/ssl/keystore
keystore.password=<password>
key.password=<password>
truststore=/etc/rundeck/ssl/keystore
truststore.password=<password>
Replace the <password> with OBF format encrypted password generated from the previous step
- Edit /etc/rundeck/profile
Comment below lines
if [ -n “$RUNDECK_WITH_SSL” ] ; then
RDECK_SSL_OPTS=”${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}”
RDECK_JVM=”$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}”
fi
Add below line after the above commented lines
RDECK_JVM=”$RDECK_JVM -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT}”
- Configure rundeck-config.properties
Edit the file /etc/rundeck/rundeck-config.properties. Find and edit the line. Note change http to https AND change port 4440 to 4443.
grails.serverURL=https://yourdomain.com:4443
- Restart the rundeckd service and you ought to be able to connect over https
- At this point you should be able to hit https://<FQDN or IP>:4443 and make a secure connection
For troubleshooting look at the /var/log/rundeck/service.log.
References:
Good Article thanks!
Hi Vinsumi. The last reference in your article has a URL that 404’ed. Here’s the fresh link to configuring SSL on Rundeck: https://rundeck.org/docs/administration/security/configuring-ssl.html
Done. Thanks Jorn!
Hi Vinsumi, I installed Rundeck from RPM so I’m not sure what to do on your “#java -cp /var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar org.eclipse.jetty.util.security.Password root password” step. The only item in my “/var/lib/rundeck/bootstrap” folder is “rundeck-3.0.9-20181127.war”
I’ve not tried the RPM method as I use DEBIAN based Linux Distros