Keycloak Keystore 和 Java Keystore with HTTPS -> redirect loop
Keycloak Keystore and Java Keystore with HTTPS -> redirect loop
我用 Docker 和 运行 构建的 运行 keycloak 出现了一个奇怪的错误。这是我的 DockerKeycloak 文件。它使用 LetsEncrypt 证书将 .pem 文件更改为 .crt 和 .key 文件,因为 Keycloak 密钥库需要一个 tls.crt 和一个 tls.key 文件。
docker run -d \
-v /etc/letsencrypt/live/ds-gym.de/tls.crt:/etc/x509/https/tls.crt \
-v /etc/letsencrypt/live/ds-gym.de/tls.key:/etc/x509/https/tls.key \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-p 8443:8443 jboss/keycloak
我 运行 来自以下文件的另一个 docker 容器:由于我无法在 Java 密钥库中导入多个文件,我将 .crt 和 .key 转换为 .der文件,还尝试了 .p12 文件。两者均无效。
FROM openjdk:8-jre
COPY certificate.pfx $JAVA_HOME/jre/lib/security/certificate.pfx
RUN \
cd $JAVA_HOME/jre/lib/security \
keytool -importkeystore -srckeystore certificate.pfx -srcstorepass -changeit -srcstoretype pkcs12 -destkeystore cacerts -deststorepass changeit -deststoretype JKS
RUN mkdir -p /opt/shinyproxy/
RUN wget https://www.shinyproxy.io/downloads/shinyproxy-2.3.0.jar -O /opt/shinyproxy/shinyproxy.jar
COPY application.yml /opt/shinyproxy/application.yml
WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]
它通过以下命令启动:
sudo docker run -v /var/run/docker.sock:/var/run/docker.sock --net sp-example-net -p 5000:5000 shinyproxy-example
Nginx 作为反向代理位于端点之前:它是这样完成的:
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
proxy_pass https://127.0.0.1:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
我想我将 .der/.p12 文件复制到的 Java 密钥库可能存在问题,但也许它也与密钥斗篷有关。这些是我的错误:
在浏览器上我看到了这个:
ERR_TOO_MANY_REDIRECTS
启动应用程序时显示。
2019-12-22 17:14:06.033 WARN 1 --- [ XNIO-2 task-6]
a.a.ClientIdAndSecretCredentialsProvider : Client 'account' doesn't
have secret available 2019-12-22 17:14:06.050 ERROR 1 --- [ XNIO-2
task-6] o.k.adapters.OAuthRequestAuthenticator : failed to turn code
into token
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
谁能帮我正确导入证书?
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
很可能您的 Keycloak 证书 /etc/letsencrypt/live/ds-gym.de/tls.crt 不包含完整的证书链。对于 LE 证书来说,这是非常普遍的问题。 ssllabs.com 还报告了 ds-gym.de 域的链问题。请修复证书(使用全链 pem 证书格式)并重新启动 Keycloak。
至少这是您设置中的一个明显问题。
我用 Docker 和 运行 构建的 运行 keycloak 出现了一个奇怪的错误。这是我的 DockerKeycloak 文件。它使用 LetsEncrypt 证书将 .pem 文件更改为 .crt 和 .key 文件,因为 Keycloak 密钥库需要一个 tls.crt 和一个 tls.key 文件。
docker run -d \
-v /etc/letsencrypt/live/ds-gym.de/tls.crt:/etc/x509/https/tls.crt \
-v /etc/letsencrypt/live/ds-gym.de/tls.key:/etc/x509/https/tls.key \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-p 8443:8443 jboss/keycloak
我 运行 来自以下文件的另一个 docker 容器:由于我无法在 Java 密钥库中导入多个文件,我将 .crt 和 .key 转换为 .der文件,还尝试了 .p12 文件。两者均无效。
FROM openjdk:8-jre
COPY certificate.pfx $JAVA_HOME/jre/lib/security/certificate.pfx
RUN \
cd $JAVA_HOME/jre/lib/security \
keytool -importkeystore -srckeystore certificate.pfx -srcstorepass -changeit -srcstoretype pkcs12 -destkeystore cacerts -deststorepass changeit -deststoretype JKS
RUN mkdir -p /opt/shinyproxy/
RUN wget https://www.shinyproxy.io/downloads/shinyproxy-2.3.0.jar -O /opt/shinyproxy/shinyproxy.jar
COPY application.yml /opt/shinyproxy/application.yml
WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]
它通过以下命令启动:
sudo docker run -v /var/run/docker.sock:/var/run/docker.sock --net sp-example-net -p 5000:5000 shinyproxy-example
Nginx 作为反向代理位于端点之前:它是这样完成的:
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
proxy_pass https://127.0.0.1:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
我想我将 .der/.p12 文件复制到的 Java 密钥库可能存在问题,但也许它也与密钥斗篷有关。这些是我的错误:
在浏览器上我看到了这个:
ERR_TOO_MANY_REDIRECTS
启动应用程序时显示。
2019-12-22 17:14:06.033 WARN 1 --- [ XNIO-2 task-6] a.a.ClientIdAndSecretCredentialsProvider : Client 'account' doesn't have secret available 2019-12-22 17:14:06.050 ERROR 1 --- [ XNIO-2 task-6] o.k.adapters.OAuthRequestAuthenticator : failed to turn code into token
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
谁能帮我正确导入证书?
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
很可能您的 Keycloak 证书 /etc/letsencrypt/live/ds-gym.de/tls.crt 不包含完整的证书链。对于 LE 证书来说,这是非常普遍的问题。 ssllabs.com 还报告了 ds-gym.de 域的链问题。请修复证书(使用全链 pem 证书格式)并重新启动 Keycloak。
至少这是您设置中的一个明显问题。