The issue was that the client, MuleSoft, required that the Rundeck server's SSL certificate had the 'KeyUsage=digitalSignature' extension. Adding this extension resolved the problem.
Upgraded from Rundeck 3.0.2 (API v30) to 3.2.1 (API v34). Yum/RPM install, RHEL 7.
I configured SSL following Rundeck documentation and modeling after my existing working installation. SSL works fine via the web, and works fine when I hit the job REST API using curl, however when our MuleSoft application hits the REST API, it's failing with a handshake_failure:
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp1539575645-26, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp1539575645-26, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
qtp1539575645-26, WRITE: TLSv1.2 Alert, length = 2
qtp1539575645-26, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
I confirmed that MuleSoft trusts the Rundeck server's cert. Previously I wasn't explicitly including/excluding any ciphersuites in my Rundeck ssl config, but I forced MuleSoft to use a particular suite, and then added that suite to /etc/sysconfig/rundeckd using the -Drundeck.jetty.connector.ssl.includedCipherSuites=(insert suite here) parameter, however we still receive the "no cipher suites in common" error.
Adding the -Djavax.net.debug=ssl parm to /etc/sysconfig/rundeckd adds the handshake details to service.log. I can see the list of excluded ciphersuites, but I don't see confirmation that it's including the one(s) I added. I do see the parm in the process details of the running JVM.
This feels like a client issue on MuleSoft's side, and we're reaching out to the vendor however I find it odd that when I explicitly include the cipher suite that the client is sending it still doesn't see one in common. Perhaps I'm using the -Drundeck.jetty.connector.ssl.includedCipherSuites incorrectly?
My /etc/sysconfig/rundeckd file that I'm testing with currently looks like this:
export RUNDECK_WITH_SSL=true
export RDECK_HTTPS_PORT=4443
RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \
-Djava.security.auth.login.config=/etc/rundeck/jaas-multiauth.conf \
-Dloginmodule.name=multiauth \
-Djavax.net.ssl.trustStore=/etc/rundeck/ssl/truststore \
-Djavax.net.ssl.trustStoreType=jks \
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol \
-Drundeck.jetty.connector.ssl.includedCipherSuites=TLS_RSA_WITH_AES_256_GCM_SHA384 \
-Dorg.eclipse.jetty.util.ssl.LEVEL=DEBUG \
-Djavax.net.debug=ssl"
Any thoughts are appreciated!
The issue was that the client, MuleSoft, required that the Rundeck server's SSL certificate had the 'KeyUsage=digitalSignature' extension. Adding this extension resolved the problem.