ssl - 我无法让 Rundeck 从 SSL 开始

Question

我使用 rpm 方法在一个新的 RHEL 7.7 机器上安装了 Rundeck。我可以使用 http 访问服务器，但是当我按照 docs 中的说明进行操作时，无法从浏览器或通过 curl localhost 访问服务器。
我收到的唯一错误是:

WARN SslContextFactory --- [           main] No supported ciphers from [SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,...(many more ciphers)
Grails application running at https://localhost:4443 in environment: production

curl localhost:4443
curl: (35) Peer reports it experienced an internal error.

配置文件的相关部分如下:
/etc/rundeck/配置文件:

RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \
           -Djava.security.auth.login.config=$JAAS_CONF \
           -Dloginmodule.name=$LOGIN_MODULE \
           -Drdeck.config=$RDECK_CONFIG \
           -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
           -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
           -Drundeck.server.serverDir=$RDECK_INSTALL \
           -Drdeck.projects=$RDECK_PROJECTS \
           -Drdeck.runlogs=$RUNDECK_LOGDIR \
           -Drundeck.config.location=$RDECK_CONFIG_FILE \
           -Djava.io.tmpdir=$RUNDECK_TEMPDIR \
           -Drundeck.server.workDir=$RUNDECK_WORKDIR \
           -Dserver.http.port=$RDECK_HTTP_PORT \
           -Drdeck.base=$RDECK_BASE \
           -Djdk.tls.ephemeralDHKeySize=jdk8 \
           -Drundeck.rundeck.jetty.connector.ssl.excludedCipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_DSS_WITH_AES_256_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_DSS_WITH_AES_128_GCM_SHA256"

#
# Set min/max heap size
#
RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS"
#
# SSL Configuration - Uncomment the following to enable.  Check SSL.properties for details.
#
if [ -n "$RUNDECK_WITH_SSL" ] ; then
  RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} -Dorg.eclipse.jetty.util.ssl.LEVEL=DEBUG"
fi

/etc/sysconfig/rundeckd:

export RUNDECK_WITH_SSL=true
export RDECK_HTTPS_PORT=4443

如果我将 export RDECK_JVM_OPTS="-Dserver.ssl.ciphers=SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" 添加到/etc/sysconfig/rundeckd 我得到以下信息:

[2020-03-29 09:01:51.533]  WARN config --- [           main] Weak cipher suite SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled for SslContextFactory@1456dec8[provider=null,keyStore=file:///etc/rundeck/ssl/keystore,trustStore=file:///etc/rundeck/ssl/truststore]
Grails application running at https://localhost:4443 in environment: production

curl: (35) Peer reports it experienced an internal error.

其他配置:
/etc/rundeck/framework.properties:

framework.server.name = server-dns
framework.server.hostname = server-dns
framework.server.port = 4443
framework.server.url = https://server-dns
framework.rundeck.url = https://server-dns

/etc/rundeck/rundeck-config.properties:

grails.serverURL=https://server-dns:4443

存在 keystore 和信任库，我尝试过自签名和真正的 crts。
我在这里不知所措。我遵循了互联网上的各种指南和建议，导致了我当前的(错误？)配置。
谢谢
编辑以修复帖子中的错误。

Answer 1

也许您需要在 ssl.properties 文件中引用您的 keystore /信任库(通常位于 /etc/rundeck/ssl/ssl.properties 路径)。我写了一个使用 SSL 设置 Rundeck 的小指南。

1.- 安装 Rundeck。

rpm -Uvh https://repo.rundeck.org/latest.rpm

yum install rundeck

2.- 创建 keystore :(如果您已经拥有 .key/.crt 或 .pk12 格式的证书，请跳至 2b)

keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

2b.- 如果您有自己的证书，请执行以下操作:

如果您有 .crt 和 .key 文件，请创建一个 .p12 文件:

openssl pkcs12 -export -in YOUR.crt -inkey YOUR.key -out NEW.p12

将其转换为 .jks (如果您只有 .p12 文件):

keytool -importkeystore -destkeystore keystore -srckeystore NEW.p12 -srcstoretype pkcs12

3.- 将 keystore 复制为信任库。

4.- 编辑/etc/rundeck/ssl/ssl.properties 文件:

keystore=/etc/rundeck/ssl/keystore
keystore.password=password
key.password=password
truststore=/etc/rundeck/ssl/truststore
truststore.password=password

5.- 编辑/etc/rundeck/framework.properties 文件:

framework.server.port = 4443
framework.server.url = https://localhost:4443

6.- 编辑/etc/rundeck/rundeck-config.properties 文件:

grails.serverURL=https://localhost:4443

7.- 编辑/创建/etc/sysconfig/rundeckd 文件:

export RUNDECK_WITH_SSL=true

8.-启动rundeck服务。

systemctl start rundeckd