stackoom
  简体   繁体   中英

Keycloak 7.0.1 and MySQL (RDS) SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) for review

 原文  2019-11-13 19:45:47       java/ jboss/ wildfly/ keycloak

Question

I start Keycloak 7.0.1 on new MySQL 5.7 database

This is the Kubernetes deployment

    spec:
      containers:
      - env:
        - name: KEYCLOAK_USER
          value: admin
        - name: KEYCLOAK_PASSWORD
          value: password
        - name: PROXY_ADDRESS_FORWARDING
          value: "true"
        - name: KEYCLOAK_LOGLEVEL
          value: INFO
        - name: DB_VENDOR
          value: mysql
        - name: DB_ADDR
          value: db.rds.amazonaws.com
        - name: DB_DATABASE
          value: keycloak
        - name: DB_SCHEMA
          value: keycloak
        - name: DB_PORT
          value: "3306"
        - name: DB_USER
          value: keycloak
        - name: DB_PASSWORD
          value: 789
        - name: JDBC_PARAMS
          value: character_set_server=utf8mb4&useUnicode=true&verifyServerCertificate=false&useSSL=true&requireSSL=true&allowPublicKeyRetrieval=true&serverTimezone=Europe/Paris
        image: jboss/keycloak:7.0.1

And the stackstrace

Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
-b 0.0.0.0
=========================================================================

  Using MySQL database

=========================================================================

19:29:43,163 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.9.1.Final
19:29:43,233 INFO  [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.8.Final
19:29:43,241 INFO  [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.3.Final
19:29:43,407 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) starting
19:29:43,483 INFO  [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
19:29:44,245 INFO  [org.wildfly.security] (ServerService Thread Pool -- 19) ELY00001: WildFly Elytron version 1.9.1.Final
19:29:44,799 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
19:29:44,902 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
19:29:45,059 INFO  [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
19:29:45,078 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
19:29:45,169 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
19:29:45,170 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) started in 1998ms - Started 64 of 78 services (29 services are lazy, passive or on-demand)
The batch executed successfully
19:29:45,343 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) stopped in 18ms
19:29:46,892 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.9.1.Final
19:29:46,965 INFO  [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.8.Final
19:29:46,984 INFO  [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.3.Final
19:29:47,148 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) starting
19:29:47,232 INFO  [org.jboss.vfs] (MSC service thread 1-1) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
19:29:48,101 INFO  [org.wildfly.security] (ServerService Thread Pool -- 22) ELY00001: WildFly Elytron version 1.9.1.Final
19:29:49,023 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
19:29:49,111 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
19:29:49,254 INFO  [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
19:29:49,264 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
19:29:49,365 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
19:29:49,370 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) started in 2467ms - Started 64 of 85 services (36 services are lazy, passive or on-demand)
The batch executed successfully
19:29:49,569 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) stopped in 20ms
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/jboss/keycloak

  JAVA: java

  JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED

=========================================================================

19:29:50,369 INFO  [org.jboss.modules] (main) JBoss Modules version 1.9.1.Final
19:29:50,895 INFO  [org.jboss.msc] (main) JBoss MSC version 1.4.8.Final
19:29:50,906 INFO  [org.jboss.threads] (main) JBoss Threads version 2.3.3.Final
19:29:51,047 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) starting
19:29:51,162 INFO  [org.jboss.vfs] (MSC service thread 1-1) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
19:29:51,978 INFO  [org.wildfly.security] (ServerService Thread Pool -- 21) ELY00001: WildFly Elytron version 1.9.1.Final
19:29:52,813 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
19:29:52,885 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 29) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
19:29:53,069 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
19:29:53,093 INFO  [org.xnio] (MSC service thread 1-2) XNIO version 3.7.2.Final
19:29:53,106 INFO  [org.xnio.nio] (MSC service thread 1-2) XNIO NIO Implementation Version 3.7.2.Final
19:29:53,153 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
19:29:53,159 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 52) WFLYNAM0001: Activating Naming Subsystem
19:29:53,169 INFO  [org.wildfly.extension.microprofile.config.smallrye._private] (ServerService Thread Pool -- 48) WFLYCONF0001: Activating WildFly MicroProfile Config Subsystem
19:29:53,170 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 5.0.12.Final
19:29:53,175 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.
19:29:53,170 INFO  [org.jboss.as.jaxrs] (ServerService Thread Pool -- 41) WFLYRS0016: RESTEasy version 3.7.0.Final
19:29:53,224 INFO  [org.wildfly.extension.microprofile.metrics.smallrye] (ServerService Thread Pool -- 50) WFLYMETRICS0001: Activating Eclipse MicroProfile Metrics Subsystem
19:29:53,250 INFO  [org.jboss.as.security] (ServerService Thread Pool -- 55) WFLYSEC0002: Activating Security Subsystem
19:29:53,259 INFO  [org.wildfly.extension.microprofile.health.smallrye] (ServerService Thread Pool -- 49) WFLYHEALTH0001: Activating Eclipse MicroProfile Health Subsystem
19:29:53,247 INFO  [org.wildfly.extension.io] (ServerService Thread Pool -- 40) WFLYIO001: Worker 'default' has auto-configured to 2 core threads with 16 task threads based on your 1 available processors
19:29:53,267 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 4.0.19
19:29:53,282 INFO  [org.jboss.as.connector] (MSC service thread 1-2) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.4.16.Final)
19:29:53,328 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 34) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.4)
19:29:53,450 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 34) WFLYJCA0005: Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1)
19:29:53,482 INFO  [org.jboss.as.security] (MSC service thread 1-1) WFLYSEC0001: Current PicketBox version=5.0.3.Final
19:29:53,521 WARN  [org.wildfly.clustering.web.undertow] (ServerService Thread Pool -- 58) WFLYCLWEBUT0007: No routing provider found for default-server; using legacy provider based on static configuration
19:29:53,576 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
19:29:53,598 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0003: Undertow 2.0.21.Final starting
19:29:53,598 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = mysql
19:29:53,648 INFO  [io.smallrye.metrics] (MSC service thread 1-2) Converted [2] config entries and added [4] replacements
19:29:53,651 INFO  [io.smallrye.metrics] (MSC service thread 1-2) Converted [3] config entries and added [18] replacements
19:29:53,640 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for path '/opt/jboss/keycloak/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]']
19:29:53,685 INFO  [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 4 (per class), which is derived from the number of CPUs on this host.
19:29:53,696 INFO  [org.jboss.as.ejb3] (MSC service thread 1-2) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 16 (per class), which is derived from thread worker pool sizing.
19:29:53,697 INFO  [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003: Starting Naming Service
19:29:53,803 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-2) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
19:29:54,048 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0012: Started server default-server.
19:29:54,108 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on 0.0.0.0:8080
19:29:54,108 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow AJP listener ajp listening on 0.0.0.0:8009
19:29:54,112 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0018: Host default-host starting
19:29:54,154 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 60) MODCLUSTER000001: Initializing mod_cluster version 1.4.1.Final
19:29:54,167 INFO  [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0493: EJB subsystem suspension complete
19:29:54,170 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 60) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364
19:29:54,270 INFO  [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
19:29:54,272 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
19:29:54,273 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
19:29:54,287 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-1) WFLYDM0111:
...
...
WFLYCLINF0002: Started work cache from keycloak container
19:29:59,495 WARN  [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0273: Excluded subsystem webservices via jboss-deployment-structure.xml does not exist.
19:30:00,077 INFO  [org.keycloak.services] (ServerService Thread Pool -- 66) KC-SERVICES0001: Loading config from standalone.xml or domain.xml
19:30:00,086 DEBUG [org.keycloak.provider.ProviderManager] (ServerService Thread Pool -- 66) Provider loaders [org.keycloak.provider.DefaultProviderLoaderFactory@33f94f36, org.keycloak.provider.FileSystemProviderLoaderFactory@381df96, org.keycloak.provider.wildfly.ModuleProviderLoaderFactory@15544a2]
19:30:00,087 DEBUG [org.keycloak.provider.FileSystemProviderLoaderFactory] (ServerService Thread Pool [org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProviderFactory] (ServerService Thread Pool -- 66) Liquibase lock provider configured with lockWaitTime: 900 seconds
19:30:00,395 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanStickySessionEncoderProviderFactory] (ServerService Thread Pool -- 66) Should attach route to the sticky session cookie: true
19:30:00,409 DEBUG [org.keycloak.services.DefaultKeycloakSessionFactory] (ServerService Thread Pool -- 66) SPI client-storage provider openshift-oauth-client disabled
19:30:00,411 DEBUG [org.keycloak.keys.infinispan.InfinispanPublicKeyStorageProviderFactory] (ServerService Thread Pool -- 66) minTimeBetweenRequests is 10
19:30:00,422 DEBUG [org.keycloak.services.DefaultKeycloakSessionFactory] (ServerService Thread Pool -- 66) Loaded SPI timer (provider = basic)
19:30:00,428 DEBUG [org.keycloak.services.DefaultKeycloakSessionFactory] (ServerService Thread Pool -- 66) Loaded SPI hostname (provider = request)
19:30:00,481 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started realmRevisions cache from keycloak container
19:30:00,487 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started userRevisions cache from keycloak container
19:30:00,499 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container
19:30:00,501 DEBUG [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 66) Using container managed Infinispan cache container, lookup=java:jboss/infinispan/container/keycloak
19:30:00,502 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 66) Node name: keycloak-7569d49d7d-sjpwf, Site name: null
19:30:00,520 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (ServerService Thread Pool -- 66) new JtaTransactionWrapper
19:30:00,520 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (ServerService Thread Pool -- 66) was existing? false
19:30:00,541 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 66) Added package org.keycloak.connections.jpa.updater.liquibase.lock to liquibase
19:30:01,129 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 66) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
    at org.jboss.ironjacamar.jdbcadapters@1.4.16.Final//org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345)
    at org.jboss.ironjacamar.jdbcadapters@1.4.16.Final//org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352)
    at org.jboss.ironjacamar.jdbcadapters@1.4.16.Final//org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287)
    at org.jboss.ironjacamar.impl@1.4.16.Final//org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1325)
    at org.jboss.ironjacamar.impl@1.4.16.Final//org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499)
    at org.jboss.ironjacamar.impl@1.4.16.Final//org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632)
    at org.jboss.ironjacamar.impl@1.4.16.Final//org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604)
    at org.jboss.ironjacamar.impl@1.4.16.Final//org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624)
    at org.jboss.ironjacamar.impl@1.4.16.Final//org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:440)
    at org.jboss.ironjacamar.impl@1.4.16.Final//org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789)
    at org.jboss.ironjacamar.jdbcadapters@1.4.16.Final//org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:151)
    at org.jboss.as.connector@17.0.1.Final//org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
    at org.keycloak.keycloak-model-jpa@7.0.1//org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
    at org.keycloak.keycloak-model-jpa@7.0.1//org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
    at org.keycloak.keycloak-model-jpa@7.0.1//org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$2(LiquibaseDBLockProvider.java:96)
    at org.keycloak.keycloak-server-spi-private@7.0.1//org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:682)
    at org.keycloak.keycloak-model-jpa@7.0.1//org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:94)
    at org.keycloak.keycloak-services@7.0.1//org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:144)
    at org.keycloak.keycloak-server-spi-private@7.0.1//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
    at org.keycloak.keycloak-services@7.0.1//org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:137)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
    at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
    at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2784)
    at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:364)
    at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:277)
    at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:89)
    at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119)
    at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:303)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:143)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:583)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:554)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at io.undertow.servlet@2.0.21.Final//io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
    at org.wildfly.extension.undertow@17.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    at java.base/java.lang.Thread.run(Thread.java:834)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 117 milliseconds ago.  The last packet sent successfully to the server was 110 milliseconds ago.
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:990)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:201)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4912)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1663)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1224)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2190)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2221)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2016)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:776)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:386)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)
    at org.jboss.ironjacamar.jdbcadapters@1.4.16.Final//org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
    ... 55 more
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
    at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:169)
    at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98)
    at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:216)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
    at com.mysql.jdbc@5.1.46//com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:186)
    ... 71 more

19:30:01,145 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (ServerService Thread Pool -- 66) JtaTransactionWrapper rollback
19:30:01,150 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (ServerService Thread Pool -- 66) JtaTransactionWrapper end
19:30:01,158 INFO  [org.jboss.as.server] (Thread-1) WFLYSRV0220: Server shutdown has been requested via an OS signal

Do you think there is a configuration I do not see?

3 answers

solution1
 5  2020-01-20 21:41:28

Since 7.0.1, Keycloak has switched to Redhat UBI base images (registry.access.redhat.com/ubi8-minimal). In the Dockerfile it install's a version of OpenJDK-11 (11.0.5 currently) which contains modified version of java.security file under /etc/alternatives/jre/conf/security/ .

Switching to the standard OpenJDK-11 as the base image in https://github.com/keycloak/keycloak-containers/blob/7.0.1/server/Dockerfile fixes the issue:

FROM openjdk:11.0.5-jdk
ENV KEYCLOAK_VERSION 7.0.1
ENV JDBC_POSTGRES_VERSION 42.2.5
ENV JDBC_MYSQL_VERSION 5.1.46
ENV JDBC_MARIADB_VERSION 2.2.3
ENV JDBC_MSSQL_VERSION 7.4.1.jre8
ENV LAUNCH_JBOSS_IN_BACKGROUND 1
ENV PROXY_ADDRESS_FORWARDING false
ENV JBOSS_HOME /opt/jboss/keycloak
ENV LANG en_US.UTF-8

ARG GIT_REPO
ARG GIT_BRANCH
ARG KEYCLOAK_DIST=https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz

USER root

ADD tools /opt/jboss/tools
RUN /opt/jboss/tools/build-keycloak.sh

USER 1000

EXPOSE 8080
EXPOSE 8443

ENTRYPOINT [ "/opt/jboss/tools/docker-entrypoint.sh" ]

CMD ["-b", "0.0.0.0"]

However, the OpenJDK image is larger and image scanning (at least in Google Cloud registry) reveals several vulnerabilities.

An alternative is to copy java.security from the standard OpenJDK image to Keycloak image or to a new image based on Keycloak:

FROM openjdk:11.0.5-jdk as openjdk
FROM jboss/keycloak:7.0.1

COPY --from=openjdk /usr/local/openjdk-11/conf/security/java.security /etc/alternatives/jre/conf/security/

This is a quick workaround. A more security-aware approach would be to compare the 2 versions of the file and introduce only minimal changes.

solution2
 1  2021-01-08 10:11:22

For keycloak 12.0.1 you still experience this problem when the database uses anything weaker than TLSv1.2. I think the problem occurs, because the RedHat UBI 8 image does not accept anything less than TLSv1.2. For more information check https://access.redhat.com/articles/3642912 .

Setting crypto-policy to LEGACY, as the article suggests, did not work for me. Unchanged, the image uses DEFAULT crypto-policy, you need to override the file /etc/crypto-policies/config with LEGACY. To check the contents execute:

docker run --rm -ti --entrypoint bash jboss/keycloak:12.0.1 \
          -c 'cat /etc/crypto-policies/config'

What fixed it for me was the idea from John Georgladis's answer here. I am posting here a complete working version, as the code above did not work for me right away. Overriding java.security did not work as well, particularly because of the line:

security.useSystemPropertiesFile=true

To check the contents of java.security file you could use:

docker run --rm -ti --entrypoint bash jboss/keycloak:12.0.1 \
      -c 'cat /etc/java/java-11-openjdk/java-11-openjdk-*/conf/security/java.security | grep -v ^# | grep -v ^$'

Using opnejdk as base image lowers the cryptographic expectations and allows TLSv1.0 or TLSv1.1. So, if you cannot upgrade your DB to use TLSv1.2 or above, then you could install and ship keycloak like below (for Keycloak 12.0.1).

Base for this script is taken from current Keycloak 12.0.1 Dockerfile

FROM jboss/keycloak:12.0.1 as keycloak
FROM /openjdk:11.0.9-jdk

ENV KEYCLOAK_VERSION 12.0.1
ENV JDBC_POSTGRES_VERSION 42.2.5
ENV JDBC_MYSQL_VERSION 8.0.22
ENV JDBC_MARIADB_VERSION 2.5.4
ENV JDBC_MSSQL_VERSION 8.2.2.jre11

ENV LAUNCH_JBOSS_IN_BACKGROUND 1
ENV PROXY_ADDRESS_FORWARDING false
ENV JBOSS_HOME /opt/jboss/keycloak
ENV LANG en_US.UTF-8

ARG GIT_REPO
ARG GIT_BRANCH
ARG KEYCLOAK_DIST=https://github.com/keycloak/keycloak/releases/download/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz


USER root

COPY --from=keycloak /opt/jboss/tools /opt/jboss/tools
RUN /opt/jboss/tools/build-keycloak.sh


USER 1000

EXPOSE 8080
EXPOSE 8443

ENTRYPOINT [ "/opt/jboss/tools/docker-entrypoint.sh" ]

CMD ["-b", "0.0.0.0"]

solution3
 0  2019-11-14 14:24:18

You will need to tweak java.security file. See similar issue for RDS Postgres keycloak - SSL error: Certificates do not conform to algorithm constraints

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Exception: SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) No appropriate protocol (protocol is disabled or cipher suites are inappropriate) javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) without handshake handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) JDK-11 SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate Postfix and OpenJDK 11: "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)" Getting errors when running Splunk SDK examples: “No appropriate protocol (protocol is disabled or cipher suites are inappropriate)” No appropriate protocol (protocol is disabled or cipher suites are inappropriate). Failed messages: javax.mail.MessagingException: SSLHandShakeException No Appropriate Protocol
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM