I cannot get Rundeck to start with SSL

Question

I installed Rundeck on a new RHEL 7.7 box, using the rpm method. I can access the server just fine with http, but when I follow the directions in the docs, the server is not accessible from browsers or by curling localhost. The only error I receive is:

WARN SslContextFactory --- [           main] No supported ciphers from [SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,...(many more ciphers)
Grails application running at https://localhost:4443 in environment: production

curl localhost:4443
curl: (35) Peer reports it experienced an internal error.

Relevant parts of the configuration files are as follows:
/etc/rundeck/profile:

RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \
           -Djava.security.auth.login.config=$JAAS_CONF \
           -Dloginmodule.name=$LOGIN_MODULE \
           -Drdeck.config=$RDECK_CONFIG \
           -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
           -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
           -Drundeck.server.serverDir=$RDECK_INSTALL \
           -Drdeck.projects=$RDECK_PROJECTS \
           -Drdeck.runlogs=$RUNDECK_LOGDIR \
           -Drundeck.config.location=$RDECK_CONFIG_FILE \
           -Djava.io.tmpdir=$RUNDECK_TEMPDIR \
           -Drundeck.server.workDir=$RUNDECK_WORKDIR \
           -Dserver.http.port=$RDECK_HTTP_PORT \
           -Drdeck.base=$RDECK_BASE \
           -Djdk.tls.ephemeralDHKeySize=jdk8 \
           -Drundeck.rundeck.jetty.connector.ssl.excludedCipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_DSS_WITH_AES_256_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_DSS_WITH_AES_128_GCM_SHA256"

#
# Set min/max heap size
#
RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS"
#
# SSL Configuration - Uncomment the following to enable.  Check SSL.properties for details.
#
if [ -n "$RUNDECK_WITH_SSL" ] ; then
  RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} -Dorg.eclipse.jetty.util.ssl.LEVEL=DEBUG"
fi

/etc/sysconfig/rundeckd:

export RUNDECK_WITH_SSL=true
export RDECK_HTTPS_PORT=4443

If I add export RDECK_JVM_OPTS="-Dserver.ssl.ciphers=SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" to /etc/sysconfig/rundeckd I get the following:

[2020-03-29 09:01:51.533]  WARN config --- [           main] Weak cipher suite SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled for SslContextFactory@1456dec8[provider=null,keyStore=file:///etc/rundeck/ssl/keystore,trustStore=file:///etc/rundeck/ssl/truststore]
Grails application running at https://localhost:4443 in environment: production

curl: (35) Peer reports it experienced an internal error.

Other configurations: /etc/rundeck/framework.properties:

framework.server.name = server-dns
framework.server.hostname = server-dns
framework.server.port = 4443
framework.server.url = https://server-dns
framework.rundeck.url = https://server-dns

/etc/rundeck/rundeck-config.properties:

grails.serverURL=https://server-dns:4443

keystore and truststore exist, I have attempted both self signed and real crts. I'm at a loss here. I followed all sorts of guides and advice from the internet leading to my current (mis?)configuration. Thanks

Edited to fix mistakes in the post.

Answer 1

There is an official guide for Rundeck:

Configuring SSL

The original answer is below:

Maybe you need to reference your keystore/trustore in ssl.properties file (usually at /etc/rundeck/ssl/ssl.properties path). I wrote a little guide to set up Rundeck with SSL.

1.- install Rundeck.

rpm -Uvh https://repo.rundeck.org/latest.rpm

yum install rundeck

2.- create keystore: (if you already have a certificate in .key/.crt or .pk12 formats, skip to 2b)

keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

2b.- in case you have your own certificate, do below:

If you have .crt and .key files, create a .p12 file:

openssl pkcs12 -export -in YOUR.crt -inkey YOUR.key -out NEW.p12

Convert it to a .jks (also if you have only the .p12 file):

keytool -importkeystore -destkeystore keystore -srckeystore NEW.p12 -srcstoretype pkcs12

3.- copy keystore as truststore.

4.- edit /etc/rundeck/ssl/ssl.properties file:

keystore=/etc/rundeck/ssl/keystore
keystore.password=password
key.password=password
truststore=/etc/rundeck/ssl/truststore
truststore.password=password

5.- edit /etc/rundeck/framework.properties file:

framework.server.port = 4443
framework.server.url = https://localhost:4443

6.- edit /etc/rundeck/rundeck-config.properties file:

grails.serverURL=https://localhost:4443

7.- edit/create /etc/sysconfig/rundeckd file:

export RUNDECK_WITH_SSL=true

8.- start the rundeck service.

systemctl start rundeckd