使用 docker 镜像设置 Keycloak SSL
[英]Keycloak SSL setup using docker image
问题描述
I am trying to deploy keycloak using docker image ( https://hub.docker.com/r/jboss/keycloak/ version 4.5.0-Final) and facing an issue with setting up SSL.
我正在尝试使用 docker 映像( https://hub.docker.com/r/jboss/keycloak/ version 4.5.0-Final)部署 keycloak 并面临设置 SSL 的问题。
According to the docs根据文档
Keycloak image allows you to specify both a private key and a certificate for serving HTTPS.
tls.crt - a certificate tls.key - a private key Those files need to be mounted in /etc/x509/https directory.
I followed the given steps and provided the volume mount setting with a folder with the necessary files (tls.crt and tls.key), But I am facing issues with SSL handshake, getting我按照给定的步骤提供了卷挂载设置,其中包含一个包含必要文件(tls.crt 和 tls.key)的文件夹,但是我遇到了 SSL 握手问题,正在获取
ERR_SSL_VERSION_OR_CIPHER_MISMATCH ERR_SSL_VERSION_OR_CIPHER_MISMATCH
error, blocking keycloak load in browser when trying to access it.错误,在尝试访问时阻止浏览器中的 keycloak 加载。
I have used letsencrypt to generate pem files and used openssl to create .crt and .key files.我使用 letencrypt 生成 pem 文件并使用 openssl 创建 .crt 和 .key 文件。 Also tried just openssl to create those files to narrow down issue and the behavior is same(some additional info if this should matter)也试过只用 openssl 创建这些文件来缩小问题的范围,并且行为是相同的(如果这很重要的话,还有一些额外的信息)
By default, when I simply specify just the port binding -p 8443:8443 without specifying the cert volume mount /etc/x509/https the keycloak server generates a self signed certificate and I don't see issue in viewing the app in browser默认情况下,当我仅指定端口绑定-p 8443:8443而不指定证书卷挂载/etc/x509/https 时,keycloak 服务器会生成自签名证书,并且我在浏览器中查看应用程序时看不到问题
I guess this might be more of a certificate creation issue than anything specific to keycloak, But, unsure how to get this to working.我想这可能更像是一个证书创建问题,而不是特定于 keycloak 的任何问题,但是,不确定如何让它工作。 Any help is appreciated任何帮助表示赞赏
3 个解决方案
解决方案1
19 已采纳 2019-11-11 12:13:29
I also faced the issue of getting an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error, using the jboss/keycloak Docker image and free certificates from letsencrypt .我还面临着使用jboss/keycloak Docker 映像和来自letsencrypt 的免费证书获得ERR_SSL_VERSION_OR_CIPHER_MISMATCH错误的问题。 Even after considering the advices from the other comments.即使在考虑了其他评论的建议之后。 Now, I have a working (and quite easy) setup, which might also help you.现在,我有一个可以工作(而且非常简单)的设置,它也可能对您有所帮助。
1) Generate letsencrypt certificate 1)生成letsencrypt证书
At first, I generated my letsencrypt certificate for domain sub.example.com using the certbot.起初,我使用 certbot 为域sub.example.com生成了我的 letencrypt 证书。 You can find detailed instructions and alternative ways to gain a certificate at https://certbot.eff.org/ and the user guide at https://certbot.eff.org/docs/using.html .你可以找到详细的说明和替代方法获得的证书https://certbot.eff.org/在和用户指南https://certbot.eff.org/docs/using.html 。
$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): sub.example.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sub.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sub.example.com/privkey.pem
Your cert will expire on 2020-01-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
2) Prepare docker-compose environment 2)准备docker-compose环境
I use docker-compose to run keycloak via docker.我使用 docker docker-compose通过 docker 运行 keycloak。 The config and data files are stored in path /srv/docker/keycloak/ .配置和数据文件存储在路径/srv/docker/keycloak/ 。
- Folder
configcontains thedocker-compose.yml文件夹config包含docker-compose.yml - Folder
data/certscontains the certificates I generated via letsencrypt文件夹data/certs包含我通过 letencrypt 生成的证书 - Folder
data/keycloack_dbis mapped to the database container to make its data persistent.文件夹data/keycloack_db映射到数据库容器以使其数据持久化。
Put the certificate files to the right path将证书文件放到正确的路径
When I first had issues using the original letscrypt certificates for keycloak, I tried the workaround of converting the certificates to another format, as mentioned in the comments of the former answers, which also failed.当我第一次遇到使用原始 letcrypt 证书作为 keycloak 的问题时,我尝试了将证书转换为另一种格式的解决方法,如先前答案的评论中所述,但也失败了。 Eventually, I realized that my problem was caused by permissions set to the mapped certificate files.最终,我意识到我的问题是由设置到映射证书文件的权限引起的。
So, what worked for me is to just to copy and rename the files provided by letsencrypt , and mount them to the container.因此,对我有用的只是复制和重命名 letencrypt 提供的文件,然后将它们挂载到容器中。
$ cp /etc/letsencrypt/live/sub.example.com/fullchain.pem /srv/docker/keycloak/data/certs/tls.crt
$ cp /etc/letsencrypt/live/sub.example.com/privkey.pem /srv/docker/keycloak/data/certs/tls.key
$ chmod 755 /srv/docker/keycloak/data/certs/
$ chmod 604 /srv/docker/keycloak/data/certs/*
docker-compose.yml docker-compose.yml
In my case, I needed to use the host network of my docker host.就我而言,我需要使用我的 docker 主机的主机网络。 This is not best practice and should not be required for your case.这不是最佳实践,您的案例不应要求这样做。 Please find information about configuration parameters in the documentation at hub.docker.com/r/jboss/keycloak/ .请在hub.docker.com/r/jboss/keycloak/的文档中找到有关配置参数的信息。
version: '3.7'
networks:
default:
external:
name: host
services:
keycloak:
container_name: keycloak_app
image: jboss/keycloak
depends_on:
- mariadb
restart: always
ports:
- "8080:8080"
- "8443:8443"
volumes:
- "/srv/docker/keycloak/data/certs/:/etc/x509/https" # map certificates to container
environment:
KEYCLOAK_USER: <user>
KEYCLOAK_PASSWORD: <pw>
KEYCLOAK_HTTP_PORT: 8080
KEYCLOAK_HTTPS_PORT: 8443
KEYCLOAK_HOSTNAME: sub.example.ocm
DB_VENDOR: mariadb
DB_ADDR: localhost
DB_USER: keycloak
DB_PASSWORD: <pw>
network_mode: host
mariadb:
container_name: keycloak_db
image: mariadb
volumes:
- "/srv/docker/keycloak/data/keycloak_db:/var/lib/mysql"
restart: always
environment:
MYSQL_ROOT_PASSWORD: <pw>
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: <pw>
network_mode: host
Final directory setup最终目录设置
This is how my final file and folder setup looks like.这就是我的最终文件和文件夹设置的样子。
$ cd /srv/docker/keycloak/
$ tree
.
├── config
│ └── docker-compose.yml
└── data
├── certs
│ ├── tls.crt
│ └── tls.key
└── keycloak_db
Start container启动容器
Finally, I was able to start my software using docker-compose .最后,我能够使用docker-compose启动我的软件。
$ cd /srv/docker/keycloak/config/
$ sudo docker-compose up -d
We can see the mounted certificates within the container.我们可以看到容器内挂载的证书。
$ cd /srv/docker/keycloak/config/
$ sudo docker-compose up -d
We can doublecheck the mounted certificates within the container.我们可以仔细检查容器内安装的证书。
## open internal shell of keycloack container
$ sudo docker exec -it keycloak_app /bin/bash
## open directory of certificates
$ cd /etc/x509/https/
$ ll
-rw----r-- 1 root root 3586 Oct 30 14:21 tls.crt
-rw----r-- 1 root root 1708 Oct 30 14:20 tls.key
Considerung the setup from the docker-compose.yml, keycloak is now available at https://sub.example.com:8443考虑到 docker-compose.yml 的设置,keycloak 现在可以在https://sub.example.com:8443 获得
解决方案2
6 2018-10-07 01:47:49
After some research the following method worked (for self-signed certs, I still have to figure out how to do with letsencrypt CA for prod)经过一些研究,以下方法有效(对于自签名证书,我仍然需要弄清楚如何使用letsencrypt CA for prod)
generate a self-signed cert using the keytool
keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
convert .jks to .p12
keytool -importkeystore -srckeystore keycloak.jks -destkeystore keycloak.p12 -deststoretype PKCS12
generate .crt from .p12 keystore
openssl pkcs12 -in keycloak.p12 -nokeys -out tls.crt
generate .key from .p12 keystore
openssl pkcs12 -in keycloak.p12 -nocerts -nodes -out tls.key
Then use the tls.crt and tls.key for volume mount /etc/x509/https然后使用 tls.crt 和 tls.key 进行卷挂载/etc/x509/https
Also, on the securing app, in the keycloak.json file specify the following properties此外,在安全应用程序上,在 keycloak.json 文件中指定以下属性
"truststore" : "path/to/keycloak.jks",
"truststore-password" : "<jks-pwd>",
解决方案3
5 2020-03-18 13:52:45
For anyone who is trying to run Keycloak with a passphrase protected private key file :对于尝试使用受密码保护的私钥文件运行 Keycloak 的任何人:
Keycloak runs the script /opt/jboss/tools/x509.sh to generate the keystore based on the provided files in /etc/x509/https as described in https://hub.docker.com/r/jboss/keycloak - Setting up TLS(SSL). Keycloak 运行脚本/opt/jboss/tools/x509.sh以根据/etc/x509/https提供的文件生成密钥库,如https://hub.docker.com/r/jboss/keycloak - Setting 中所述上 TLS(SSL)。
This script takes no passphrase into account unfortunately.不幸的是,这个脚本没有考虑密码。 But with a little modification at Docker build time you can fix it by yourself: Within your Dockerfile add:但是在 Docker 构建时稍作修改,您可以自己修复它:在您的 Dockerfile 中添加:
RUN sed -i -e 's/-out "${KEYSTORES_STORAGE}\/${PKCS12_KEYSTORE_FILE}" \\/-out "${KEYSTORES_STORAGE}\/${PKCS12_KEYSTORE_FILE}" \\\n -passin pass:"${SERVER_KEYSTORE_PASSWORD}" \\/' /opt/jboss/tools/x509.sh
This command modifies the script and appends the parameter to pass in the passphrase -passin pass:"${SERVER_KEYSTORE_PASSWORD}"此命令修改脚本并附加参数以传入密码-passin pass:"${SERVER_KEYSTORE_PASSWORD}"
The value of the parameter is an environment variable which you are free to set: SERVER_KEYSTORE_PASSWORD该参数的值是一个您可以自由设置的环境变量: SERVER_KEYSTORE_PASSWORD
Tested with Keycloak 9.0.0使用 Keycloak 9.0.0 测试
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.