I run keycloak built with Docker and run into a strange Error. This is my Dockerfile for Keycloak. It use the LetsEncrypt certificate changed the .pem files to .crt and .key files, since the Keycloak keystore needs a tls.crt and a tls.key file.
docker run -d \
-v /etc/letsencrypt/live/ds-gym.de/tls.crt:/etc/x509/https/tls.crt \
-v /etc/letsencrypt/live/ds-gym.de/tls.key:/etc/x509/https/tls.key \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-p 8443:8443 jboss/keycloak
I run another docker container from the following file: Since I can not import multiple files in the Java Keystore I converted the .crt and .key into a .der file and also tried a .p12 file. Both did not work.
FROM openjdk:8-jre
COPY certificate.pfx $JAVA_HOME/jre/lib/security/certificate.pfx
RUN \
cd $JAVA_HOME/jre/lib/security \
keytool -importkeystore -srckeystore certificate.pfx -srcstorepass -changeit -srcstoretype pkcs12 -destkeystore cacerts -deststorepass changeit -deststoretype JKS
RUN mkdir -p /opt/shinyproxy/
RUN wget https://www.shinyproxy.io/downloads/shinyproxy-2.3.0.jar -O /opt/shinyproxy/shinyproxy.jar
COPY application.yml /opt/shinyproxy/application.yml
WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]
It gets started by the following command:
sudo docker run -v /var/run/docker.sock:/var/run/docker.sock --net sp-example-net -p 5000:5000 shinyproxy-example
Nginx sits in front of the endpoints as a reverse proxy: This is how it is done:
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
proxy_pass https://127.0.0.1:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
I guess there might be an issue with the Java Keystore where I copy the .der/.p12 files into, but maybe it´s also related to keycloak. These are my errors:
On the browser I see this:
ERR_TOO_MANY_REDIRECTS
This shows up when starting the Application.
2019-12-22 17:14:06.033 WARN 1 --- [ XNIO-2 task-6] a.a.ClientIdAndSecretCredentialsProvider : Client 'account' doesn't have secret available 2019-12-22 17:14:06.050 ERROR 1 --- [ XNIO-2 task-6] o.k.adapters.OAuthRequestAuthenticator : failed to turn code into token
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Can anyone help me how to correctly import the certificates?
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Very likely your Keycloak cert /etc/letsencrypt/live/ds-gym.de/tls.crt doesn't contain full cert chain. It is very common issue for LE certs. Also ssllabs.com reports chain issue for ds-gym.de domain. Please fix cert (use fullchain pem cert format) and restart Keycloak.
At least this is one obvious problem in your setup.