search

rundeck-plugins / salt-step

Rundeck Salt Plugin
BSD 3-Clause "New" or "Revised" License
31 stars 30 forks source link

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated #11

Open sgrunt91 opened 9 years ago

sgrunt91 commented 9 years ago

Hi,

I'm trying to use your plugin to run salt commands, but I'm facing this problem when I run the job: Failed: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Salt version: 2015.5.5 (Lithium) Rundeck Version: 2.6.0-1

salt-api.conf: rest_cherrypy: port: 8000 host: 0.0.0.0 ssl_crt: /etc/ssl/certs/salt-api-cert.pem ssl_key: /etc/ssl/certs/salt-api-key.pem debug: True

I'm trying to user self-signed certificate.

Have you any ideas of what could cause that ?

Is this plugin developpement is still alive ?

Regards,

Machaux commented 9 years ago

Hi, I have exactly the same problem. My conf :

Salt version : 2015.8.1 Rundeck version : 2.6.1

Salt-api configuration : rest_cherrypy: port: 443 debug: true ssl_key: /etc/salt/pki/key.pem ssl_crt: /etc/salt/pki/cert.pem

The certificate have been added into the rundeck's trustore.

The Salt-api is ok with Postman

My API's end point is https://localhost:443/. We tested also with https://[machine_name]:443/

My debug's logs from the rundeck job :

[workflow] Begin execution: rundeck-workflow-node-first context: null
preparing for sequential execution on 1 nodes
Executing command on node: [machine_name]-[user], NodeEntryImpl{tags=[[user], rundeck, POC_HD], attributes={osFamily=centos, tags=POC_HD, [user], rundeck, username=[user], osVersion=centos7, osArch=centos, ssh-authentification=privateKey, description=plateforme d'infrastructure du POC_HD, hostname=[machine-name].ntes.fr.sopra, nodename=[machine-name]-[user], ssh-keypath=/opt/rundeck/private_key/rundeckKey, osName=[machine-name]}, project='null'}
NodeSet: MultiNodeSelector{nodenames=[[machine-name]-[user]]}
Workflow: com.dtolabs.rundeck.core.execution.workflow.StepFirstWorkflowStrategy$stepFirstWrapper@e7e4c04a
data context:  {node={tags=[user],rundeck,POC_HD, username=[user], os-version=centos7, ssh-authentification=privateKey, description=plateforme d'infrastructure du POC_HD, name=[machine-name]-[user], os-arch=centos, hostname=[machine-name].ntes.fr.sopra, os-name=[machine-name], ssh-keypath=/opt/rundeck/private_key/rundeckKey, os-family=centos}, job={loglevel=DEBUG, wasRetry=false, url=http://[machine-name].ntes.fr.sopra:4440/project/POC_HD/execution/follow/104, id=f62b6c64-b709-4b2b-92bc-86da34d4ee14, project=POC_HD, username=admin, retryAttempt=0, user.name=admin, name=test2, serverUUID=null, group=null, execid=104, serverUrl=http://[machine-name].ntes.fr.sopra:4440/}, secureOption={SALT_PASSWORD=****}, option={SALT_USER=[user], SALT_PASSWORD=****}}
[workflow] Begin step: 1,NodeDispatch
1: Workflow step executing: StepExecutionItem{type='NodeDispatch', keepgoingOnSuccess=false, hasFailureHandler=false}
preparing for sequential execution on 1 nodes
Executing command on node: [machine-name]-[user], NodeEntryImpl{tags=[[user], rundeck, POC_HD], attributes={osFamily=centos, tags=POC_HD, [user], rundeck, username=[user], osVersion=centos7, osArch=centos, ssh-authentification=privateKey, description=plateforme d'infrastructure du POC_HD, hostname=[machine-name].ntes.fr.sopra, nodename=[machine-name]-[user], ssh-keypath=/opt/rundeck/private_key/rundeckKey, osName=[machine-name]}, project='null'}
[workflow] beginExecuteNodeStep([machine-name]-[user]): NodeDispatch: StepExecutionItem{type='NodeDispatch', keepgoingOnSuccess=false, hasFailureHandler=false}
Using salt-api version: [org.rundeck.plugin.salt.version.SaltApiCapability@13e16bac]
Authenticating with salt-api endpoint: [https://[machine-name]:443/login]
SSL exception encountered, not retrying. peer not authenticated
Failed: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[workflow] finishExecuteNodeStep([machine-name]-[user]): NodeDispatch: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
1: Workflow step finished, result: Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]
[workflow] Finish step: 1,NodeDispatch
[workflow] Finish execution:  rundeck-workflow-node-first: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, Node failures: {[machine-name]-[user]=[COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, flow control: Continue, status: failed]
[Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, Node failures: {[machine-name]-[user]=[COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, flow control: Continue, status: failed]
Execution failed: 104: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, Node failures: {[machine-name]-[user]=[COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, flow control: Continue, status: failed]
mglambet commented 8 years ago

I found that it was looking in the JREs standard trustsore location, rather than that configured in Rundeck.

blaketmiller commented 8 years ago

I have this same issue, very frustrating. For what it's worth, I am able to construct a curl from command line (on my rundeck VM) and get a login token:

curl -k https://saltmaster.example.com:8000/login \
-H "Accept: application/json" \
-d username='blaketmiller' \
-d password='mypassword' \
-d eauth='pam'

And here's what I see on the salt master after doing that curl:

[INFO    ] 172.16.208.199 - - [29/Jan/2016:13:43:54] "POST /login HTTP/1.1" 200 176 "" "curl/7.26.0"

Relevant bits from master.conf on salt master:

rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key

external_auth:
  pam:
    blaketmiller:
      - .*

I'm really uncertain whether this is a plugin issue, a rundeck issue, or a config error. Is the SSLPeerUnverifiedException: peer not authenticated error implying that I need to just fully setup SSL on rundeck as well as on my salt master? That's inconvenient when I have a load balancer sitting in front of my app handling SSL offloading. Here's what I see on salt master when the peer not auth'd error shows up:

SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

As far as I can tell rundeck is looking in the right place for the salt master's cert (/etc/rundeck/ssl/truststore) according to the config in /etc/rundeck/profile. Glad to see I'm not the only one experiencing this problem. I'll report back my findings if I figure it out, but I'd love to see some support from this plugin's maintainer on this issue. Hopefully it's not been abandoned.

pwhack commented 8 years ago

In case it helps anyone else, adding my salt master's API cert to /etc/rundeck/ssl/truststore or /etc/rundeck/ssl/keystore did not work but adding the cert to the global Java keystore on the server did work. We use Oracle's (not OpenJDK) RPM to install JRE or JDK on CentOS and the default location for the global keystore is /usr/java/latest/jre/lib/security/cacerts (note that is the path whether using JRE or JDK because JDK includes JRE). The default keystore password is "changeit" without quotes. The default path to the keystore may differ on different Linux distros and of course Windows. Hope that helps.

rhinuxx commented 8 years ago

centos7 cd /etc/pki/tls/certs make testcert cd ../private/ openssl rsa -in localhost.key -out localhost_nopass.key keytool -import -alias local -file certs/localhost.crt -keystore /etc/pki/ca-trust/extracted/java/cacerts

passwd is changeit

/etc/salt/master.d/api.conf

rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/private/localhost_nopass.key
ghost commented 8 years ago

Hi rhinuxx

should i make the below changes on the rundeck server or salt master server, please help me.

centos7 cd /etc/pki/tls/certs make testcert cd ../private/ openssl rsa -in localhost.key -out localhost_nopass.key keytool -import -alias local -file certs/localhost.crt -keystore /etc/pki/ca-trust/extracted/java/cacerts

passwd is changeit

/etc/salt/master.d/api.conf

rest_cherrypy: port: 8000 ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/private/localhost_nopass.key

remyd1 commented 3 years ago

Hi,

I had some issues with the keystore password and @rhinuxx solution.

So, here is my solution:

salt-call --local tls.create_self_signed_cert
openssl x509 -in /etc/pki/tls/certs/localhost.crt -out /etc/ssl/certs/localhost.pem -outform PEM
update-ca-certificates -f
# checking
keytool -list -v -keystore  /etc/ssl/certs/java/cacerts  |grep -A5 localhost

edit: Ok, sorry, in fact, I also had to do @rhinuxx trick to get it work +

service rundeckd restart

@ghost : you may need to add host: localhost in your api.conf. Then, do not forget to restart the salt-master and salt-api services.