keycloak - SSL error: Certificates do not conform to algorithm constraints

keycloak - SSL error: Certificates do not conform to algorithm constraints

我是 运行 使用此 docker 命令连接到 Amazon RDS Postgres 的密钥斗篷实例:

docker run --rm --name keycloak \
-p 9090:8080 -e KEYCLOAK_USER=xxx \
-e KEYCLOAK_PASSWORD=xxx \
-e DB_VENDOR=postgres \
-e DB_ADDR=mydb2.xxx.rds.amazonaws.com:5432 \
-e DB_USER=xxx \
-e DB_PASSWORD=xxx \
-e DB_DATABASE=keycloak \
jboss/keycloak:latest

但是无法连接到数据库:

05:18:54,776 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".undertow-deployment" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: Failed to connect to database
    Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
    Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints
    Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
    Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=mydb2.xxx.us-east-1.rds.amazonaws.com.  Usage was tls server"}}

我确定以下内容:

为什么会发生这种情况以及如何解决?

这可能是一个太宽泛的问题,但我不是 Java 人(我主要是 Python),所以这是我能做的尽可能窄的问题。

这似乎是 Java 安全问题。使用了不同的 Java 版本(1.8 vs 11),因此可能需要对 java.security 或 RDS 端的密码配置进行一些调整(如果可能的话):

您可以比较和调整 7.0.1 java.security 文件:

$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.1 \
  -c 'cat /etc/java/java-11-openjdk/java-11-openjdk-*/conf/security/java.security | grep -v ^# | grep -v ^$'

$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.0 \
  -c 'cat /usr/lib/jvm/java-1.8.0-openjdk-*/jre/lib/security/java.security | grep -v ^# | grep -v ^$'

中所述,使用了不同的Java版本。

这是失败的,因为 RDS 使用的 RSA 密钥只有 1024 位长,而 java.security 只允许超过 1024 位的密钥。

将您的 RDS 更新到新的证书颁发机构 (rds-ca-2019) 似乎可以创建更长的密钥并解决此问题。

AWS has documentation on how to do this.