使用Docker映像的Keycloak SSL设置 [英] Keycloak SSL setup using docker image

问题描述

我正在尝试使用docker image( https://hub.docker.com /r/jboss/keycloak/版本4.5.0-最终版)，并且在设置SSL时遇到问题.

I am trying to deploy keycloak using docker image (https://hub.docker.com/r/jboss/keycloak/ version 4.5.0-Final) and facing an issue with setting up SSL.

根据文档

Keycloak图片可让您同时指定 私钥和用于服务HTTPS的证书.在这种情况下，您需要 提供两个文件:

Keycloak image allows you to specify both a private key and a certificate for serving HTTPS. In that case you need to provide two files:

tls.crt -证书 tls.key -私钥这些文件需要是 安装在/etc/x509/https目录中.图像将自动 将它们转换为Java密钥库，然后重新配置Wildfly以使用它.

tls.crt - a certificate tls.key - a private key Those files need to be mounted in /etc/x509/https directory. The image will automatically convert them into a Java keystore and reconfigure Wildfly to use it.

我按照给定的步骤进行操作，并为卷安装设置提供了一个包含必要文件(tls.crt和tls.key)的文件夹，但是我面临SSL握手问题，获取

I followed the given steps and provided the volume mount setting with a folder with the necessary files (tls.crt and tls.key), But I am facing issues with SSL handshake, getting

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

错误，尝试访问浏览器时会阻止密钥库加载.

error, blocking keycloak load in browser when trying to access it.

我使用过letencrypt来生成pem文件，并使用openssl来创建.crt和.key文件. 还尝试过使用openssl创建这些文件以缩小问题范围，并且行为相同(如果需要，可以提供一些其他信息)

I have used letsencrypt to generate pem files and used openssl to create .crt and .key files. Also tried just openssl to create those files to narrow down issue and the behavior is same(some additional info if this should matter)

默认情况下，当我仅指定端口绑定 -p 8443:8443 而不指定证书卷装入/etc/x509/https 时，密钥斗篷服务器会生成一个自签名证书，在浏览器中查看应用程序没有问题

By default, when I simply specify just the port binding -p 8443:8443 without specifying the cert volume mount /etc/x509/https the keycloak server generates a self signed certificate and I don't see issue in viewing the app in browser

我想这可能是证书创建问题，而不是密钥隐藏特有的问题，但是，不确定如何使它起作用. 感谢您的帮助

I guess this might be more of a certificate creation issue than anything specific to keycloak, But, unsure how to get this to working. Any help is appreciated

推荐答案

我还遇到了使用来自letsencrypt的免费证书.即使考虑了其他评论的建议.现在，我有了一个有效的(并且非常简单)的设置，它也可能会对您有所帮助.

I also faced the issue of getting an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error, using the jboss/keycloak Docker image and free certificates from letsencrypt. Even after considering the advices from the other comments. Now, I have a working (and quite easy) setup, which might also help you.

首先，我使用certbot为域sub.example.com生成了letencrypt证书.您可以在 https://certbot.eff.org/中找到获取证书的详细说明和替代方法.用户指南，网址为 https://certbot.eff.org/docs/using.html

At first, I generated my letsencrypt certificate for domain sub.example.com using the certbot. You can find detailed instructions and alternative ways to gain a certificate at https://certbot.eff.org/ and the user guide at https://certbot.eff.org/docs/using.html.

$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): sub.example.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub.example.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sub.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub.example.com/privkey.pem
   Your cert will expire on 2020-01-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

2)准备docker-compose环境

我使用docker-compose通过docker运行keycloak.配置和数据文件存储在路径/srv/docker/keycloak/中.

2) Prepare docker-compose environment

I use docker-compose to run keycloak via docker. The config and data files are stored in path /srv/docker/keycloak/.

• 文件夹config包含docker-compose.yml
• 文件夹data/certs包含我通过letencrypt生成的证书
• 文件夹data/keycloack_db被映射到数据库容器以使其数据持久化.

• Folder config contains the docker-compose.yml
• Folder data/certs contains the certificates I generated via letsencrypt
• Folder data/keycloack_db is mapped to the database container to make its data persistent.

当我最初使用原始的letcrypt证书进行密钥隐藏时遇到问题时，我尝试了将证书转换为另一种格式的解决方法，如先前答案的注释中所述，该方法也失败了.最终，我意识到我的问题是由对映射的证书文件设置的权限引起的.

When I first had issues using the original letscrypt certificates for keycloak, I tried the workaround of converting the certificates to another format, as mentioned in the comments of the former answers, which also failed. Eventually, I realized that my problem was caused by permissions set to the mapped certificate files.

因此，对我有用的是仅复制并重命名letencrypt提供的文件，然后将其安装到容器中.

So, what worked for me is to just to copy and rename the files provided by letsencrypt, and mount them to the container.

$ cp /etc/letsencrypt/live/sub.example.com/fullchain.pem /srv/docker/keycloak/data/certs/tls.crt
$ cp /etc/letsencrypt/live/sub.example.com/privkey.pem /srv/docker/keycloak/data/certs/tls.key
$ chmod 755 /srv/docker/keycloak/data/certs/
$ chmod 604 /srv/docker/keycloak/data/certs/*

docker-compose.yml

就我而言，我需要使用Docker主机的主机网络.这不是最佳做法，因此您的情况也不是必需的.请在 hub.docker.com/r/jboss/keycloak/中找到有关配置参数的信息. .

version: '3.7'

networks:
  default:
    external:
      name: host

services:
  keycloak:
    container_name: keycloak_app
    image: jboss/keycloak
    depends_on:
      - mariadb
    restart: always
    ports:
      - "8080:8080"
      - "8443:8443"
    volumes:
      - "/srv/docker/keycloak/data/certs/:/etc/x509/https"   # map certificates to container
    environment:
      KEYCLOAK_USER: <user>
      KEYCLOAK_PASSWORD: <pw>
      KEYCLOAK_HTTP_PORT: 8080
      KEYCLOAK_HTTPS_PORT: 8443
      KEYCLOAK_HOSTNAME: sub.example.ocm
      DB_VENDOR: mariadb
      DB_ADDR: localhost
      DB_USER: keycloak
      DB_PASSWORD: <pw>
    network_mode: host

  mariadb:
    container_name: keycloak_db
    image: mariadb
    volumes:
      - "/srv/docker/keycloak/data/keycloak_db:/var/lib/mysql"
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: <pw>
      MYSQL_DATABASE: keycloak
      MYSQL_USER: keycloak
      MYSQL_PASSWORD: <pw>
    network_mode: host

最终目录设置

这是我最终文件和文件夹设置的样子.

Final directory setup

This is how my final file and folder setup looks like.

$ cd /srv/docker/keycloak/
$ tree
.
├── config
│   └── docker-compose.yml
└── data
    ├── certs
    │   ├── tls.crt
    │   └── tls.key
    └── keycloak_db

启动容器

最后，我能够使用docker-compose启动软件.

$ cd /srv/docker/keycloak/config/
$ sudo docker-compose up -d

我们可以在容器中看到已安装的证书.

We can see the mounted certificates within the container.

$ cd /srv/docker/keycloak/config/
$ sudo docker-compose up -d

我们可以再次检查容器中已安装的证书.

We can doublecheck the mounted certificates within the container.

## open internal shell of keycloack container
$ sudo docker exec -it keycloak_app /bin/bash

## open directory of certificates
$ cd /etc/x509/https/
$ ll
-rw----r-- 1 root root 3586 Oct 30 14:21 tls.crt
-rw----r-- 1 root root 1708 Oct 30 14:20 tls.key

考虑来自docker-compose.yml的设置，现在可以在 https://sub.example中使用密钥斗篷. com:8443

Considerung the setup from the docker-compose.yml, keycloak is now available at https://sub.example.com:8443

这篇关于使用Docker映像的Keycloak SSL设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！