salt-step icon indicating copy to clipboard operation
salt-step copied to clipboard

Published 20 hours ago verified publisher icon rundeck-plugins

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Open sgrunt91 opened this issue 9 years ago • 7 comments

Hi,

I'm trying to use your plugin to run salt commands, but I'm facing this problem when I run the job: Failed: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Salt version: 2015.5.5 (Lithium) Rundeck Version: 2.6.0-1

salt-api.conf: rest_cherrypy: port: 8000 host: 0.0.0.0 ssl_crt: /etc/ssl/certs/salt-api-cert.pem ssl_key: /etc/ssl/certs/salt-api-key.pem debug: True

I'm trying to user self-signed certificate.

Have you any ideas of what could cause that ?

Is this plugin developpement is still alive ?

Regards,

sgrunt91 avatar Nov 04 '15 15:11 sgrunt91

Hi, I have exactly the same problem. My conf :

Salt version : 2015.8.1 Rundeck version : 2.6.1

Salt-api configuration : rest_cherrypy: port: 443 debug: true ssl_key: /etc/salt/pki/key.pem ssl_crt: /etc/salt/pki/cert.pem

The certificate have been added into the rundeck's trustore.

The Salt-api is ok with Postman

My API's end point is https://localhost:443/. We tested also with https://[machine_name]:443/

My debug's logs from the rundeck job :

[workflow] Begin execution: rundeck-workflow-node-first context: null
preparing for sequential execution on 1 nodes
Executing command on node: [machine_name]-[user], NodeEntryImpl{tags=[[user], rundeck, POC_HD], attributes={osFamily=centos, tags=POC_HD, [user], rundeck, username=[user], osVersion=centos7, osArch=centos, ssh-authentification=privateKey, description=plateforme d'infrastructure du POC_HD, hostname=[machine-name].ntes.fr.sopra, nodename=[machine-name]-[user], ssh-keypath=/opt/rundeck/private_key/rundeckKey, osName=[machine-name]}, project='null'}
NodeSet: MultiNodeSelector{nodenames=[[machine-name]-[user]]}
Workflow: com.dtolabs.rundeck.core.execution.workflow.StepFirstWorkflowStrategy$stepFirstWrapper@e7e4c04a
data context:  {node={tags=[user],rundeck,POC_HD, username=[user], os-version=centos7, ssh-authentification=privateKey, description=plateforme d'infrastructure du POC_HD, name=[machine-name]-[user], os-arch=centos, hostname=[machine-name].ntes.fr.sopra, os-name=[machine-name], ssh-keypath=/opt/rundeck/private_key/rundeckKey, os-family=centos}, job={loglevel=DEBUG, wasRetry=false, url=http://[machine-name].ntes.fr.sopra:4440/project/POC_HD/execution/follow/104, id=f62b6c64-b709-4b2b-92bc-86da34d4ee14, project=POC_HD, username=admin, retryAttempt=0, user.name=admin, name=test2, serverUUID=null, group=null, execid=104, serverUrl=http://[machine-name].ntes.fr.sopra:4440/}, secureOption={SALT_PASSWORD=****}, option={SALT_USER=[user], SALT_PASSWORD=****}}
[workflow] Begin step: 1,NodeDispatch
1: Workflow step executing: StepExecutionItem{type='NodeDispatch', keepgoingOnSuccess=false, hasFailureHandler=false}
preparing for sequential execution on 1 nodes
Executing command on node: [machine-name]-[user], NodeEntryImpl{tags=[[user], rundeck, POC_HD], attributes={osFamily=centos, tags=POC_HD, [user], rundeck, username=[user], osVersion=centos7, osArch=centos, ssh-authentification=privateKey, description=plateforme d'infrastructure du POC_HD, hostname=[machine-name].ntes.fr.sopra, nodename=[machine-name]-[user], ssh-keypath=/opt/rundeck/private_key/rundeckKey, osName=[machine-name]}, project='null'}
[workflow] beginExecuteNodeStep([machine-name]-[user]): NodeDispatch: StepExecutionItem{type='NodeDispatch', keepgoingOnSuccess=false, hasFailureHandler=false}
Using salt-api version: [org.rundeck.plugin.salt.version.SaltApiCapability@13e16bac]
Authenticating with salt-api endpoint: [https://[machine-name]:443/login]
SSL exception encountered, not retrying. peer not authenticated
Failed: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[workflow] finishExecuteNodeStep([machine-name]-[user]): NodeDispatch: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
1: Workflow step finished, result: Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]
[workflow] Finish step: 1,NodeDispatch
[workflow] Finish execution:  rundeck-workflow-node-first: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, Node failures: {[machine-name]-[user]=[COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, flow control: Continue, status: failed]
[Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, Node failures: {[machine-name]-[user]=[COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, flow control: Continue, status: failed]
Execution failed: 104: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [[machine-name]-[user]: COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, Node failures: {[machine-name]-[user]=[COMMUNICATION_FAILURE: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]}, flow control: Continue, status: failed]

Machaux avatar Nov 17 '15 09:11 Machaux

I found that it was looking in the JREs standard trustsore location, rather than that configured in Rundeck.

mglambet avatar Dec 15 '15 15:12 mglambet

I have this same issue, very frustrating. For what it's worth, I am able to construct a curl from command line (on my rundeck VM) and get a login token:

curl -k https://saltmaster.example.com:8000/login \
-H "Accept: application/json" \
-d username='blaketmiller' \
-d password='mypassword' \
-d eauth='pam'

And here's what I see on the salt master after doing that curl:

[INFO    ] 172.16.208.199 - - [29/Jan/2016:13:43:54] "POST /login HTTP/1.1" 200 176 "" "curl/7.26.0"

Relevant bits from master.conf on salt master:

rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key

external_auth:
  pam:
    blaketmiller:
      - .*

I'm really uncertain whether this is a plugin issue, a rundeck issue, or a config error. Is the SSLPeerUnverifiedException: peer not authenticated error implying that I need to just fully setup SSL on rundeck as well as on my salt master? That's inconvenient when I have a load balancer sitting in front of my app handling SSL offloading. Here's what I see on salt master when the peer not auth'd error shows up:

SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

As far as I can tell rundeck is looking in the right place for the salt master's cert (/etc/rundeck/ssl/truststore) according to the config in /etc/rundeck/profile. Glad to see I'm not the only one experiencing this problem. I'll report back my findings if I figure it out, but I'd love to see some support from this plugin's maintainer on this issue. Hopefully it's not been abandoned.

blaketmiller avatar Jan 29 '16 20:01 blaketmiller

In case it helps anyone else, adding my salt master's API cert to /etc/rundeck/ssl/truststore or /etc/rundeck/ssl/keystore did not work but adding the cert to the global Java keystore on the server did work. We use Oracle's (not OpenJDK) RPM to install JRE or JDK on CentOS and the default location for the global keystore is /usr/java/latest/jre/lib/security/cacerts (note that is the path whether using JRE or JDK because JDK includes JRE). The default keystore password is "changeit" without quotes. The default path to the keystore may differ on different Linux distros and of course Windows. Hope that helps.

pwhack avatar Feb 16 '16 00:02 pwhack

centos7 cd /etc/pki/tls/certs make testcert cd ../private/ openssl rsa -in localhost.key -out localhost_nopass.key keytool -import -alias local -file certs/localhost.crt -keystore /etc/pki/ca-trust/extracted/java/cacerts

passwd is changeit

/etc/salt/master.d/api.conf

rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/private/localhost_nopass.key

rhinuxx avatar Feb 16 '16 10:02 rhinuxx

Hi rhinuxx

should i make the below changes on the rundeck server or salt master server, please help me.

centos7 cd /etc/pki/tls/certs make testcert cd ../private/ openssl rsa -in localhost.key -out localhost_nopass.key keytool -import -alias local -file certs/localhost.crt -keystore /etc/pki/ca-trust/extracted/java/cacerts

passwd is changeit

/etc/salt/master.d/api.conf

rest_cherrypy: port: 8000 ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/private/localhost_nopass.key

ghost avatar Jun 22 '16 11:06 ghost

Hi,

I had some issues with the keystore password and @rhinuxx solution.

So, here is my solution:

salt-call --local tls.create_self_signed_cert
openssl x509 -in /etc/pki/tls/certs/localhost.crt -out /etc/ssl/certs/localhost.pem -outform PEM
update-ca-certificates -f
# checking
keytool -list -v -keystore  /etc/ssl/certs/java/cacerts  |grep -A5 localhost

edit: Ok, sorry, in fact, I also had to do @rhinuxx trick to get it work +

service rundeckd restart

@ghost : you may need to add host: localhost in your api.conf. Then, do not forget to restart the salt-master and salt-api services.

remyd1 avatar Aug 20 '21 14:08 remyd1