-
1. Re: HELP Setting up SSL with Keycloak
ned_kelly Jul 13, 2018 12:32 AM (in response to ned_kelly)Ok ive made some progress, and found a few of my mistakes
I moved the keycloak.jks to the config folder and left code as is (replaced "secret" mypass)
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
The next problem im having is with
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
As the current standalone.xml has
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
And already has a "https-listner" on the ApplicationRealm"
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
Ilve tried putting in 2 "https-listner" but that created errors
I get differnt errors when i only make the sercruity realm change.
I could post the erroris if you guys need?
-
2. Re: HELP Setting up SSL with Keycloak
mchoma Jul 13, 2018 7:45 AM (in response to ned_kelly)1 of 1 people found this helpfulYou can replace ApplicationRealm with
UndertowRealm. ApplicationRealm is default https configuration. In your case you have own certificate so use UndertowRealm.
-
3. Re: HELP Setting up SSL with Keycloak
ned_kelly Jul 13, 2018 7:55 AM (in response to mchoma)Thanks SOOO MUCH for the reply
I've been really suck here, trying different things
I will try your suggestion now, and post errors if i get any.
Just to be clear still put<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="
jboss.server.config.dir
" keystore-password="mypass" /></ssl>
</server-identities>
</security-realm>
and replace AuthenticationRealm
Resulting in,<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/> -
4. Re: HELP Setting up SSL with Keycloak
ned_kelly Jul 13, 2018 9:04 AM (in response to ned_kelly)Unfortunately still some errors.
I replaced AuthenticationRealm with UndertowRealm
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="UndertowRealm"/>
</host>
Error log
---------
12:08:22,373 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.UndertowRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.UndertowRealm.key-manager: Failed to start service
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.
at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)
at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)
at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
... 3 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.
at org.jboss.as.domain.management.security.FileKeystore.assertContainsKey(FileKeystore.java:169)
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:120)
at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)
... 7 more
------
12:08:43,429 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("core-service" => "management"),
("security-realm" => "UndertowRealm")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.UndertowRealm.key-manager" => "Failed to start service
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys."}}
12:08:43,437 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("core-service" => "management"),
("security-realm" => "UndertowRealm")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.UndertowRealm.key-manager" => "Failed to start service
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys.
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0083: The KeyStore /root/keycloak-4.1.0.Final/standalone/configuration/keycloak.jks does not contain any keys."}}
----
12:08:43,622 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 4.1.0.Final (WildFly Core 3.0.8.Final) started (with errors) in 29191ms - Started 540 of 884 services (5 services failed or missing dependencies, 607 services are lazy, passive or on-demand)
---------------------
---------------------
Now i noticed the error "keycloak.jks does not contain any keys"
so i looked into this
$ keytool -list -keystore keycloak.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, Jul 13, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19: (partially deleted for privacy)
*.mydomain.com, Jul 13, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 4A:C0:1E:AD:85:64:5A:52:1E:B6:D1:05:71: (partially deleted for privacy)
So, the keycloak.jks is not empty...?
Perhaps i loaded the certs in the wrong order?
I did,
keytool -import -keystore keycloak.jks -file ~/.ssh/ca_bundle.crt -alias root
keytool -import -alias *.mydomain.com -keystore keycloak.jks -file ~/.ssh/certificate.crt
Thanks again for your help
I feel really frustrated that something so essential like setting up SSL, is so difficult
I've been considering deploying keycloak with docker in the hope this SSL problem would be easier to solve? But i suspect it will still remain with an extra layer of complication?
Is there a way to install SSL keys from inside the web admin page? Steps? (Sure would make life easier if possible)
-
5. Re: HELP Setting up SSL with Keycloak
mchoma Jul 13, 2018 9:35 AM (in response to ned_kelly)You need private key in your keystore. Just follow the guide you have referenced
-
6. Re: HELP Setting up SSL with Keycloak
ned_kelly Jul 13, 2018 12:37 PM (in response to mchoma)Sorry but i dont see instructions on how to put the "private.key" in using keytool ?
As mentioned i did
keytool -import -keystore keycloak.jks -file ~/.ssh/ca_bundle.crt -alias root
keytool -import -alias *.mydomain.com -keystore keycloak.jks -file ~/.ssh/certificate.crt
The prior step "generate a Certificate Request:" seems unnecessary in my case as i already have keys
$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq
i used https://www.sslforfree.com/ (their site uses LetsEncrypt) to create free ssl certificates for my domain
Which generated:
> Certificate.crt> ca_bundle.crt
> private.key
This is my first time setting up SSL,
I tried this:
keytool -import -keystore keycloak.jks -file ~/.ssh/private.key
keytool error: java.lang.Exception: Input not an X.509 certificate
Update: Been trying for hours to try convert this private.key into an X.509
Really stuck...
-
7. Re: HELP Setting up SSL with Keycloak
mchoma Jul 13, 2018 3:03 PM (in response to ned_kelly)Sorry I meant self signed certificate with
keytool -genkey. Probably you should begin with this to see it just work. And then find way how to fill keystore with certificate authority.
-
8. Re: HELP Setting up SSL with Keycloak
ned_kelly Jul 13, 2018 9:13 PM (in response to mchoma)Before changing AuthenticationRealm, when signing in on https://mydomain.com:8443/auth keycloak would already auto generate self signed keys.
I need CA keys working to remove warning messages, and start adding users.
I thought JBoss developed keycloak?
Maybe im asking for help in the wrong place?
Is there a way of contacting the Keycloak Dev tream?
Thanks for all your help Martin
-
9. Re: HELP Setting up SSL with Keycloak
ned_kelly Jul 14, 2018 11:51 AM (in response to mchoma)Been working on this another full day, still stuck
Ive since created CA certs from 3 different sources
The most recent of which was using the certbot
trying to insert my privkey.pem results in error:
keytool -import -keystore keycloak.jks -file ~/privkey.pem -alias root
"keytool error: java.lang.Exception: Input not an X.509 certificate"
I found a thread with someone who was having the same problem who fixed it, but not sure how he did it.
Certificates not found in keystore
Could you please give me some steps on how that guy did what he did?
(creating a pkcs12 keystore with openssl for the certificate, private key and CA certificate and imported it into the JKS keystore)
Thanks
PS: Is this just an issue with "standalone" deployment?
if i did the domain deployment does this become easier?
Or maybe using a docker image or something? -
10. Re: HELP Setting up SSL with Keycloak
ned_kelly Jul 15, 2018 5:38 AM (in response to ned_kelly)1 of 1 people found this helpfulFINALLY found a solution that worked.
I had tried various posts on creating PKCS12 keystore to migrate in the keycloak.jks, all had failed until now.
How to Create a PKCS12 keystore from private key and public CA certificate & migrate into keycloak.jks
Create a PKCS12 keystore
openssl pkcs12 -export -name server-cert -in CAcert.pem -inkey privatekey.pem -out serverkeystore.p12
Import newly created PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore keycloak.jks -srckeystore serverkeystore.p12 -srcstoretype pkcs12 -alias server-cert
Credit to this thread
For Keycloak 4.1.0.Final the standalone.xml config is needs the following
Search for the
security-realms
element and add:<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="
jboss.server.config.dir
" keystore-password="mypass" /></ssl>
</server-identities>
</security-realm>
The entry "mypass" Should match your keycloak.jks pass
Find the element
server name="default-server" &
Replace AuthenticationRealm in https-listener as bellow<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="UndertowRealm"/>
</host>