hello everyone,
I'm using the jboss/keycloak:4.5.0.Final docker image.
I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
variable as explained in the Jboss/keycloak docker image documentation.
I've mounted a volume to the image pointing to the cert file and defined
the env variable.
I'm running the image with the following command:
*docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
KEYCLOAK_PASSWORD=meissa \*
* -e PROXY_ADDRESS_FORWARDING=true \*
* -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \*
* -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https
\*
* -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
* -e
JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
* -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
* jboss/keycloak:4.5.0.Final*
When The container starts, I've checked that the cert has been corectly
mounted to the expected folder /var/run/secrets
But I see in the log that the certificat import fails (extract below):
*Creating HTTPS keystore via OpenShift's service serving x509 certificate
secrets..*
*HTTPS keystore successfully created at:
/opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
*Creating Keycloak truststore..*
*Keycloak truststore successfully created at:
/opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
*Importing certificates from system's Java CA certificate bundle into
Keycloak truststore..*
*Failed to import certificates from system's Java CA certificate bundle
into Keycloak truststore!*
*Setting JGroups discovery to dns.DNS_PING with properties
{dns_query=>bdf-opengie-test.paas.eclair.local}*
I've checked in the script that handle the TLS import [1], but I'm not able
to guess why the import is failing.
The following extract is a part of the scripts that is used by the image to
import the cert.
# Import existing system CA certificates into the newly generated truststore
local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
keytool)))"/../lib/security/cacerts")
if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass
"changeit" >
/dev/null; then
echo "Importing certificates from system's Java CA certificate bundle into
Keycloak truststore.."
keytool -importkeystore -noprompt \
-srckeystore "${SYSTEM_CACERTS}" \
-destkeystore "${JKS_TRUSTSTORE_PATH}" \
-srcstoretype jks -deststoretype jks \
-storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
if [ "$?" -ne "0" ]; then
echo "Successfully imported certificates from system's Java CA certificate
bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
else
echo "Failed to import certificates from system's Java CA certificate
bundle into Keycloak truststore!"
fi
Any advice?
[1]=
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
Meissa