[keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable

Sebastian Laskawiec slaskawi at redhat.com
Wed Oct 31 04:08:40 EDT 2018 

Hey Meissa,

The warning you see does no harm. As you can see here [1], the message is
being thrown without stopping the script.

Pulling JDK CAs has been implemented somewhat ahead of time. I asked the
Cloud Enablement (and also other Red Hat teams) to put Kubernetes and
OpenShift CAs into JDK lib directory. This way Keycloak will trust the
OpenShift cluster out of the box. The warning you see clearly indicates
that this feature hasn't been implemented yet.

So the bottom line - please ignore this error. I'm pretty sure it will
disappear in the future (and if not, I'll just remove or disable this
feature).

Thanks,
Sebastian

[1]
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88

On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho <msakho at redhat.com>
wrote:

> Hi Sebastian,
> Do you have any advice in this issue. It's related to the x509.sh script
> and I would really apprecaite an input/help here.
> Meissa
> ---------- Forwarded message ---------
> From: Meissa M'baye Sakho <msakho at redhat.com>
> Date: mar. 30 oct. 2018 à 17:12
> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment
> variable
> To: keycloak-user <keycloak-user at lists.jboss.org>
>
>
> hello everyone,
> I'm using the jboss/keycloak:4.5.0.Final docker image.
> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
> variable as explained in the Jboss/keycloak docker image documentation.
> I've mounted a volume to the image pointing to the cert file and defined
> the env variable.
> I'm running the image with the following command:
>  *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
> KEYCLOAK_PASSWORD=meissa \*
> *  -e PROXY_ADDRESS_FORWARDING=true \*
> *  -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \*
> *  -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https
> \*
> *  -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
> *  -e
> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
> *  -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
> *  jboss/keycloak:4.5.0.Final*
>
>
> When The container starts, I've checked that the cert has been corectly
> mounted to the expected folder /var/run/secrets
> But I see in the log that the certificat import fails (extract below):
> *Creating HTTPS keystore via OpenShift's service serving x509 certificate
> secrets..*
> *HTTPS keystore successfully created at:
> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
> *Creating Keycloak truststore..*
> *Keycloak truststore successfully created at:
> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
> *Importing certificates from system's Java CA certificate bundle into
> Keycloak truststore..*
> *Failed to import certificates from system's Java CA certificate bundle
> into Keycloak truststore!*
> *Setting JGroups discovery to dns.DNS_PING with properties
> {dns_query=>bdf-opengie-test.paas.eclair.local}*
>
> I've checked in the script that handle the TLS import [1], but I'm not
> able to guess why the import is failing.
>
> The following extract is a part of the scripts that is used by the image
> to import the cert.
> # Import existing system CA certificates into the newly generated
> truststore
> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
> keytool)))"/../lib/security/cacerts")
> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" >
> /dev/null; then
> echo "Importing certificates from system's Java CA certificate bundle into
> Keycloak truststore.."
> keytool -importkeystore -noprompt \
> -srckeystore "${SYSTEM_CACERTS}" \
> -destkeystore "${JKS_TRUSTSTORE_PATH}" \
> -srcstoretype jks -deststoretype jks \
> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
> if [ "$?" -ne "0" ]; then
> echo "Successfully imported certificates from system's Java CA certificate
> bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
> else
>   echo "Failed to import certificates from system's Java CA certificate
> bundle into Keycloak truststore!"
> fi
>
> Any advice?
>
> [1]=
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh
>
> Meissa
>

More information about the keycloak-user mailing list