Keycloak Keystore and Java Keystore with HTTPS -> redirect loop

Question

I run keycloak built with Docker and run into a strange Error. This is my Dockerfile for Keycloak. It use the LetsEncrypt certificate changed the .pem files to .crt and .key files, since the Keycloak keystore needs a tls.crt and a tls.key file.

docker run  -d \
 -v /etc/letsencrypt/live/ds-gym.de/tls.crt:/etc/x509/https/tls.crt \
 -v /etc/letsencrypt/live/ds-gym.de/tls.key:/etc/x509/https/tls.key \
 -e KEYCLOAK_USER=myadmin \
 -e KEYCLOAK_PASSWORD=mypassword \
 -p 8443:8443 jboss/keycloak

I run another docker container from the following file: Since I can not import multiple files in the Java Keystore I converted the .crt and .key into a .der file and also tried a .p12 file. Both did not work.

FROM openjdk:8-jre

COPY certificate.pfx $JAVA_HOME/jre/lib/security/certificate.pfx

RUN \
    cd $JAVA_HOME/jre/lib/security \
    keytool -importkeystore -srckeystore certificate.pfx -srcstorepass -changeit -srcstoretype pkcs12 -destkeystore cacerts -deststorepass changeit -deststoretype JKS

RUN mkdir -p /opt/shinyproxy/
RUN wget https://www.shinyproxy.io/downloads/shinyproxy-2.3.0.jar -O /opt/shinyproxy/shinyproxy.jar
COPY application.yml /opt/shinyproxy/application.yml

WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]

It gets started by the following command:

sudo docker run -v /var/run/docker.sock:/var/run/docker.sock --net sp-example-net -p 5000:5000 shinyproxy-example

Nginx sits in front of the endpoints as a reverse proxy: This is how it is done:

location / {

        proxy_pass          http://127.0.0.1:5000;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600s;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 600s;

       proxy_redirect    off;
       proxy_set_header  Host             $http_host;
       proxy_set_header  X-Real-IP        $remote_addr;
       proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header  X-Forwarded-Proto $scheme;


    }

    location /auth/ {

        proxy_pass          https://127.0.0.1:8443;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 600s;

       proxy_redirect    off;
       proxy_set_header  Host             $http_host;
       proxy_set_header  X-Real-IP        $remote_addr;
       proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header  X-Forwarded-Proto $scheme;

    }

I guess there might be an issue with the Java Keystore where I copy the .der/.p12 files into, but maybe it´s also related to keycloak. These are my errors:

On the browser I see this:

ERR_TOO_MANY_REDIRECTS

This shows up when starting the Application.

2019-12-22 17:14:06.033 WARN 1 --- [ XNIO-2 task-6] a.a.ClientIdAndSecretCredentialsProvider : Client 'account' doesn't have secret available 2019-12-22 17:14:06.050 ERROR 1 --- [ XNIO-2 task-6] o.k.adapters.OAuthRequestAuthenticator : failed to turn code into token

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Can anyone help me how to correctly import the certificates?

score 1 · Accepted Answer · answered Dec 25 '19 at 15:44

1

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Very likely your Keycloak cert /etc/letsencrypt/live/ds-gym.de/tls.crt doesn't contain full cert chain. It is very common issue for LE certs. Also ssllabs.com reports chain issue for ds-gym.de domain. Please fix cert (use fullchain pem cert format) and restart Keycloak.

At least this is one obvious problem in your setup.

answered Dec 25 '19 at 15:44

Jan Garaj

25,598
3
38
59

I added the fullchaim.pem like this, is this correct? -v /etc/letsencrypt/live/ds-gym.de/fullchain.pem:/etc/x509/https/tls.crt \ -v /etc/letsencrypt/live/ds-gym.de/privkey.pem:/etc/x509/https/tls.key \ Getting the other different error now :-( 17:22:56,513 WARN [org.keycloak.events] (default task-5) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.17.0.1, error=invalid_client_credentials, grant_type=authorization_code – Data Mastery Dec 25 '19 at 17:23
@DataMastery `invalid_client_credentials` it is another issue - probably you have configured wrong client secret in the shinyproxy config file or OIDC client is not configured correctly – Jan Garaj Dec 25 '19 at 17:40
I guess it´s a similar error, here are my logs: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (that is the error from shinyproxy) Anything wrong with the Dockerfile?? You already were so helpful :-) – Data Mastery Dec 25 '19 at 17:50
1

@DataMastery Are you sure that chain issue was fixed? https://www.ssllabs.com/ssltest/analyze.html?d=ds-gym.de still reports incomplete cert chain. It looks like nginx servers https://ds-gym.de/ so fullchain cert needs to be configured in the nginx conf. – Jan Garaj Dec 25 '19 at 17:54
1

Keycloak behind reverse proxy needs also special config. Add `-e PROXY_ADDRESS_FORWARDING=true` config to Keycloak container. – Jan Garaj Dec 25 '19 at 17:59
I have got 4 certificates. cert.pem, chain.pem, fullchain.pem (which is cert.pem + chain.pem) and privkey.pem. In nginx it looks like this: ssl_certificate /etc/letsencrypt/live/ds-gym.de/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ds-gym.de/privkey.pem; # managed by Certbot – Data Mastery Dec 25 '19 at 18:25
So many nginx is correct? this `-e PROXY_ADDRESS_FORWARDING=true` helped a lot. Certificate was found. Now i´m finally here: Client 'shinyoid' doesn't have secret available. failed to turn code into token status from server: 400 At least no more path errors. – Data Mastery Dec 25 '19 at 18:41
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/204849/discussion-between-jan-garaj-and-data-mastery). – Jan Garaj Dec 25 '19 at 18:47
if anyone is interested: At the end it was a typo! The rest works fine. Jan Garaj helped me to find it :-) – Data Mastery Dec 26 '19 at 07:52

Keycloak Keystore and Java Keystore with HTTPS -> redirect loop

1 Answers1