10 Replies Latest reply on Jul 15, 2018 5:38 AM by ned_kelly

    HELP Setting up SSL with Keycloak

    ned_kelly

      Server ubuntu 18.04 64bit

      Keycloak standalone

       

      I would like to access keycloak via https://id.mydomain.com

       

      Im having trouble setting up SLL with Keycloak

      Ive been trying to follow this guide https://www.keycloak.org/docs/3.0/server_installation/topics/network/https.html

      But find it confusing, and havn't got it working.

       

      i used https://www.sslforfree.com/  to create free ssl certificates for my domain

      It generated:
      > Certificate.crt

      > ca_bundle.crt

      > private.key

       

      When generating the certs i put *.mydomain.com hoping that would create a wild for all sub domains, correct?

       

      $ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq

      I figgure the above step is not needed because i already have certificates?

      $ keytool -import -keystore keycloak.jks -file root.crt -alias root
      Which of the 3 files i have is the root.crt ?

      $ keytool -import -alias *.mydomain.com -keystore keycloak.jks -file your-certificate.cer

      Should i be putting the *. ?
      Again not sure which of the 3 files i got to use here? Certificate.crt or ca_bundle.crt?

      <security-realm name="UndertowRealm">
         <server-identities>
         <ssl>
         <keystore path="~/keycloak.jks" relative-to="~/keycloak-4.1.0.Final/standalone/config" keystore-password="secret" />
         </ssl>
         </server-identities>
      </security-realm>

       

      im guessing the realm name can be anything? not sure why they have "undertowRealm"
      Do the path= & relative-to= directories look correct?

      <subsystem xmlns="urn:jboss:domain:undertow:3.0">
         <buffer-cache name="default"/>
         <server name="default-server">
         <https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
        ...
      </subsystem>

       

      Obviosuly the realm names need to match,

      Any other changes? eg xmlns= ?

       

      Finially, how to i make it so keycloak is operating off of id.mydomain.com, but not mydomain.com?

       

      Very new to this, its quite confusing.

      Thanks for the help.

        • 1. Re: HELP Setting up SSL with Keycloak
          ned_kelly

          Ok ive made some progress, and found a few of my mistakes

          I moved the keycloak.jks to the config folder and left code as is (replaced "secret" mypass)

          <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />

           

          The next problem im having is with

          <subsystem xmlns="urn:jboss:domain:undertow:3.0">

          As the current standalone.xml has

          <subsystem xmlns="urn:jboss:domain:undertow:4.0">

          And already has a "https-listner" on the ApplicationRealm"

          <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

           

          Ilve tried putting in 2 "https-listner" but that created errors

          I get differnt errors when i only make the sercruity realm change.

          I could post the erroris if you guys need?

          • 2. Re: HELP Setting up SSL with Keycloak
            mchoma

            You can replace ApplicationRealm with UndertowRealm. ApplicationRealm is default https configuration. In your case you have own certificate so use UndertowRealm.

            1 of 1 people found this helpful
            • 3. Re: HELP Setting up SSL with Keycloak
              ned_kelly

              Thanks SOOO MUCH for the reply
              I've been really suck here, trying different things
              I will try your suggestion now, and post errors if i get any.

              Just to be clear still put

              <security-realm name="UndertowRealm">

                 <server-identities>

                 <ssl>

                 <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="mypass" />

                 </ssl>

                 </server-identities>

              </security-realm>

               

              and replace AuthenticationRealm
              Resulting in,<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>

              • 4. Re: HELP Setting up SSL with Keycloak
                ned_kelly

                Unfortunately still some errors.

                I replaced AuthenticationRealm with UndertowRealm

                 

                <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>

                                <host name="default-host" alias="localhost">

                                    <location name="/" handler="welcome-content"/>

                                    <http-invoker security-realm="UndertowRealm"/>

                                </host>

                 

                Error log

                ---------

                12:08:22,373 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.UndertowRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.UndertowRealm.key-manager: Failed to start service

                at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)

                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

                at java.lang.Thread.run(Thread.java:748)

                Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.

                at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)

                at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)

                at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)

                at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)

                at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)

                ... 3 more

                Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.

                at org.jboss.as.domain.management.security.FileKeystore.assertContainsKey(FileKeystore.java:169)

                at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:120)

                at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)

                ... 7 more

                ------

                12:08:43,429 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([

                    ("core-service" => "management"),

                    ("security-realm" => "UndertowRealm")

                ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.UndertowRealm.key-manager" => "Failed to start service

                    Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.

                    Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys."}}

                12:08:43,437 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([

                    ("core-service" => "management"),

                    ("security-realm" => "UndertowRealm")

                ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.UndertowRealm.key-manager" => "Failed to start service

                    Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.

                    Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys."}}

                ----

                12:08:43,622 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 4.1.0.Final (WildFly Core 3.0.8.Final) started (with errors) in 29191ms - Started 540 of 884 services (5 services failed or missing dependencies, 607 services are lazy, passive or on-demand)

                ---------------------

                ---------------------

                Now i noticed the error "keycloak.jks does not contain any keys"

                so i looked into this

                $ keytool -list -keystore keycloak.jks

                Keystore type: JKS

                Keystore provider: SUN

                Your keystore contains 2 entries

                root, Jul 13, 2018, trustedCertEntry,

                Certificate fingerprint (SHA1): E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19: (partially deleted for privacy)

                *.mydomain.com, Jul 13, 2018, trustedCertEntry,

                Certificate fingerprint (SHA1): 4A:C0:1E:AD:85:64:5A:52:1E:B6:D1:05:71: (partially deleted for privacy)

                 

                 

                So, the keycloak.jks is not empty...?

                Perhaps i loaded the certs in the wrong order?

                I did,

                keytool -import -keystore keycloak.jks -file ~/.ssh/ca_bundle.crt -alias root

                keytool -import -alias *.mydomain.com -keystore keycloak.jks -file ~/.ssh/certificate.crt

                 

                Thanks again for your help

                I feel really frustrated that something so essential like setting up SSL, is so difficult

                 

                I've been considering deploying keycloak with docker in the hope this SSL problem would be easier to solve? But i suspect it will still remain with an extra layer of complication?

                 

                Is there a way to install SSL keys from inside the web admin page? Steps? (Sure would make life easier if possible)

                • 5. Re: HELP Setting up SSL with Keycloak
                  mchoma

                  You need private key in your keystore. Just follow the guide you have referenced

                  • 6. Re: HELP Setting up SSL with Keycloak
                    ned_kelly

                    Sorry but i dont see instructions on how to put the "private.key" in using keytool ?

                     

                    As mentioned i did

                    keytool -import -keystore keycloak.jks -file ~/.ssh/ca_bundle.crt -alias root

                    keytool -import -alias *.mydomain.com -keystore keycloak.jks -file ~/.ssh/certificate.crt

                     

                    The prior step "generate a Certificate Request:" seems unnecessary in my case as i already have keys

                    $ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq

                     

                    i used https://www.sslforfree.com/  (their site uses LetsEncrypt) to create free ssl certificates for my domain

                    Which generated:
                    > Certificate.crt

                    > ca_bundle.crt

                    > private.key

                     

                    This is my first time setting up SSL,

                     

                    I tried this:

                    keytool -import -keystore keycloak.jks -file ~/.ssh/private.key

                    keytool error: java.lang.Exception: Input not an X.509 certificate

                     

                    Update: Been trying for hours to try convert this private.key into an X.509

                    Really stuck...

                    • 7. Re: HELP Setting up SSL with Keycloak
                      mchoma

                      Sorry I meant self signed certificate with keytool -genkey. Probably you should begin with this to see it just work. And then find way how to fill keystore with certificate authority.

                      • 8. Re: HELP Setting up SSL with Keycloak
                        ned_kelly

                        Before changing AuthenticationRealm, when signing in on https://mydomain.com:8443/auth keycloak would already auto generate self signed keys.

                        I need CA keys working to remove warning messages, and start adding users.

                        I thought JBoss developed keycloak?

                        Maybe im asking for help in the wrong place?

                        Is there a way of contacting the Keycloak Dev tream?

                         

                        Thanks for all your help Martin

                        • 9. Re: HELP Setting up SSL with Keycloak
                          ned_kelly

                          Been working on this another full day, still stuck

                          Ive since created CA certs from 3 different sources

                          The most recent of which was using the certbot

                          trying to insert my privkey.pem results in error:

                          keytool -import -keystore keycloak.jks -file ~/privkey.pem -alias root

                          "keytool error: java.lang.Exception: Input not an X.509 certificate"

                           

                          I found a thread with someone who was having the same problem who fixed it, but not sure how he did it.

                          Certificates not found in keystore

                           

                          Could you please give me some steps on how that guy did what he did?

                          (creating a pkcs12 keystore with openssl for the certificate, private key and CA certificate and imported it into the JKS keystore)

                           

                          Thanks

                           

                          PS:  Is this just an issue with "standalone" deployment?
                          if i did the domain deployment does this become easier?
                          Or maybe using a docker image or something?

                          • 10. Re: HELP Setting up SSL with Keycloak
                            ned_kelly

                            FINALLY found a solution that worked.

                            I had tried various posts on creating PKCS12 keystore to migrate in the keycloak.jks, all had failed until now.

                             

                            How to Create a PKCS12 keystore from private key and public CA certificate & migrate into keycloak.jks

                             

                            Create a PKCS12 keystore

                            openssl pkcs12 -export -name server-cert -in CAcert.pem -inkey privatekey.pem -out serverkeystore.p12

                            Import newly created PKCS12 keystore into a JKS keystore

                            keytool -importkeystore -destkeystore keycloak.jks -srckeystore serverkeystore.p12 -srcstoretype pkcs12 -alias server-cert

                             

                            Credit to this thread

                            openssl - How to create keystore and truststore using self-signed certificate? - Unix & Linux Stack Exchange

                             

                            For Keycloak 4.1.0.Final the standalone.xml config is needs the following

                             

                            Search for the security-realms element and add:

                            <security-realm name="UndertowRealm">

                               <server-identities>

                               <ssl>

                               <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="mypass" />

                               </ssl>

                               </server-identities>

                            </security-realm>

                             

                            The entry "mypass" Should match your keycloak.jks pass

                             

                            Find the element server name="default-server" &Replace AuthenticationRealm in https-listener as bellow

                            <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>

                                            <host name="default-host" alias="localhost">

                                                <location name="/" handler="welcome-content"/>

                                                <http-invoker security-realm="UndertowRealm"/>

                                            </host>

                            1 of 1 people found this helpful