keycloak - SSL error: Certificates do not conform to algorithm constraints
keycloak - SSL error: Certificates do not conform to algorithm constraints
我是 运行 使用此 docker 命令连接到 Amazon RDS Postgres 的密钥斗篷实例:
docker run --rm --name keycloak \
-p 9090:8080 -e KEYCLOAK_USER=xxx \
-e KEYCLOAK_PASSWORD=xxx \
-e DB_VENDOR=postgres \
-e DB_ADDR=mydb2.xxx.rds.amazonaws.com:5432 \
-e DB_USER=xxx \
-e DB_PASSWORD=xxx \
-e DB_DATABASE=keycloak \
jboss/keycloak:latest
但是无法连接到数据库:
05:18:54,776 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".undertow-deployment" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=mydb2.xxx.us-east-1.rds.amazonaws.com. Usage was tls server"}}
我确定以下内容:
- RDS实例可用,端口开放。我用
psql
. 检查了它
jboss/keycloak:7.0.1
会发生这种情况,jboss/keycloak:7.0.0
不会发生这种情况。版本 7.0.0
工作正常。
为什么会发生这种情况以及如何解决?
这可能是一个太宽泛的问题,但我不是 Java 人(我主要是 Python),所以这是我能做的尽可能窄的问题。
这似乎是 Java 安全问题。使用了不同的 Java 版本(1.8 vs 11),因此可能需要对 java.security
或 RDS 端的密码配置进行一些调整(如果可能的话):
您可以比较和调整 7.0.1 java.security
文件:
$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.1 \
-c 'cat /etc/java/java-11-openjdk/java-11-openjdk-*/conf/security/java.security | grep -v ^# | grep -v ^$'
$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.0 \
-c 'cat /usr/lib/jvm/java-1.8.0-openjdk-*/jre/lib/security/java.security | grep -v ^# | grep -v ^$'
如中所述,使用了不同的Java版本。
这是失败的,因为 RDS 使用的 RSA 密钥只有 1024 位长,而 java.security
只允许超过 1024 位的密钥。
将您的 RDS 更新到新的证书颁发机构 (rds-ca-2019
) 似乎可以创建更长的密钥并解决此问题。
我是 运行 使用此 docker 命令连接到 Amazon RDS Postgres 的密钥斗篷实例:
docker run --rm --name keycloak \
-p 9090:8080 -e KEYCLOAK_USER=xxx \
-e KEYCLOAK_PASSWORD=xxx \
-e DB_VENDOR=postgres \
-e DB_ADDR=mydb2.xxx.rds.amazonaws.com:5432 \
-e DB_USER=xxx \
-e DB_PASSWORD=xxx \
-e DB_DATABASE=keycloak \
jboss/keycloak:latest
但是无法连接到数据库:
05:18:54,776 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".undertow-deployment" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=mydb2.xxx.us-east-1.rds.amazonaws.com. Usage was tls server"}}
我确定以下内容:
- RDS实例可用,端口开放。我用
psql
. 检查了它
jboss/keycloak:7.0.1
会发生这种情况,jboss/keycloak:7.0.0
不会发生这种情况。版本7.0.0
工作正常。
为什么会发生这种情况以及如何解决?
这可能是一个太宽泛的问题,但我不是 Java 人(我主要是 Python),所以这是我能做的尽可能窄的问题。
这似乎是 Java 安全问题。使用了不同的 Java 版本(1.8 vs 11),因此可能需要对 java.security
或 RDS 端的密码配置进行一些调整(如果可能的话):
您可以比较和调整 7.0.1 java.security
文件:
$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.1 \
-c 'cat /etc/java/java-11-openjdk/java-11-openjdk-*/conf/security/java.security | grep -v ^# | grep -v ^$'
$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.0 \
-c 'cat /usr/lib/jvm/java-1.8.0-openjdk-*/jre/lib/security/java.security | grep -v ^# | grep -v ^$'
如
这是失败的,因为 RDS 使用的 RSA 密钥只有 1024 位长,而 java.security
只允许超过 1024 位的密钥。
将您的 RDS 更新到新的证书颁发机构 (rds-ca-2019
) 似乎可以创建更长的密钥并解决此问题。