使用Docker映像的Keycloak SSL设置 [英] Keycloak SSL setup using docker image
问题描述
我正在尝试使用docker image( https://hub.docker.com /r/jboss/keycloak/版本4.5.0-最终版),并且在设置SSL时遇到问题.
I am trying to deploy keycloak using docker image (https://hub.docker.com/r/jboss/keycloak/ version 4.5.0-Final) and facing an issue with setting up SSL.
根据文档
Keycloak图片可让您同时指定 私钥和用于服务HTTPS的证书.在这种情况下,您需要 提供两个文件:
Keycloak image allows you to specify both a private key and a certificate for serving HTTPS. In that case you need to provide two files:
tls.crt -证书 tls.key -私钥这些文件需要是 安装在/etc/x509/https目录中.图像将自动 将它们转换为Java密钥库,然后重新配置Wildfly以使用它.
tls.crt - a certificate tls.key - a private key Those files need to be mounted in /etc/x509/https directory. The image will automatically convert them into a Java keystore and reconfigure Wildfly to use it.
我按照给定的步骤进行操作,并为卷安装设置提供了一个包含必要文件(tls.crt和tls.key)的文件夹,但是我面临SSL握手问题,获取
I followed the given steps and provided the volume mount setting with a folder with the necessary files (tls.crt and tls.key), But I am facing issues with SSL handshake, getting
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
错误,尝试访问浏览器时会阻止密钥库加载.
error, blocking keycloak load in browser when trying to access it.
我使用过letencrypt来生成pem文件,并使用openssl来创建.crt和.key文件. 还尝试过使用openssl创建这些文件以缩小问题范围,并且行为相同(如果需要,可以提供一些其他信息)
I have used letsencrypt to generate pem files and used openssl to create .crt and .key files. Also tried just openssl to create those files to narrow down issue and the behavior is same(some additional info if this should matter)
默认情况下,当我仅指定端口绑定 -p 8443:8443 而不指定证书卷装入/etc/x509/https 时,密钥斗篷服务器会生成一个自签名证书,在浏览器中查看应用程序没有问题
By default, when I simply specify just the port binding -p 8443:8443 without specifying the cert volume mount /etc/x509/https the keycloak server generates a self signed certificate and I don't see issue in viewing the app in browser
我想这可能是证书创建问题,而不是密钥隐藏特有的问题,但是,不确定如何使它起作用. 感谢您的帮助
I guess this might be more of a certificate creation issue than anything specific to keycloak, But, unsure how to get this to working. Any help is appreciated
推荐答案
我还遇到了使用来自letsencrypt的免费证书.即使考虑了其他评论的建议.现在,我有了一个有效的(并且非常简单)的设置,它也可能会对您有所帮助.
I also faced the issue of getting an ERR_SSL_VERSION_OR_CIPHER_MISMATCH
error, using the jboss/keycloak Docker image and free certificates from letsencrypt. Even after considering the advices from the other comments. Now, I have a working (and quite easy) setup, which might also help you.
首先,我使用certbot为域sub.example.com
生成了letencrypt证书.您可以在 https://certbot.eff.org/中找到获取证书的详细说明和替代方法.用户指南,网址为 https://certbot.eff.org/docs/using.html
At first, I generated my letsencrypt certificate for domain sub.example.com
using the certbot. You can find detailed instructions and alternative ways to gain a certificate at https://certbot.eff.org/ and the user guide at https://certbot.eff.org/docs/using.html.
$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): sub.example.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sub.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sub.example.com/privkey.pem
Your cert will expire on 2020-01-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
2)准备docker-compose环境
我使用docker-compose
通过docker运行keycloak.配置和数据文件存储在路径/srv/docker/keycloak/
中.
2) Prepare docker-compose environment
I use docker-compose
to run keycloak via docker. The config and data files are stored in path /srv/docker/keycloak/
.
- 文件夹
config
包含docker-compose.yml
- 文件夹
data/certs
包含我通过letencrypt生成的证书 - 文件夹
data/keycloack_db
被映射到数据库容器以使其数据持久化.
- Folder
config
contains thedocker-compose.yml
- Folder
data/certs
contains the certificates I generated via letsencrypt - Folder
data/keycloack_db
is mapped to the database container to make its data persistent.
当我最初使用原始的letcrypt证书进行密钥隐藏时遇到问题时,我尝试了将证书转换为另一种格式的解决方法,如先前答案的注释中所述,该方法也失败了.最终,我意识到我的问题是由对映射的证书文件设置的权限引起的.
When I first had issues using the original letscrypt certificates for keycloak, I tried the workaround of converting the certificates to another format, as mentioned in the comments of the former answers, which also failed. Eventually, I realized that my problem was caused by permissions set to the mapped certificate files.
因此,对我有用的是仅复制并重命名letencrypt提供的文件,然后将其安装到容器中.
So, what worked for me is to just to copy and rename the files provided by letsencrypt, and mount them to the container.
$ cp /etc/letsencrypt/live/sub.example.com/fullchain.pem /srv/docker/keycloak/data/certs/tls.crt
$ cp /etc/letsencrypt/live/sub.example.com/privkey.pem /srv/docker/keycloak/data/certs/tls.key
$ chmod 755 /srv/docker/keycloak/data/certs/
$ chmod 604 /srv/docker/keycloak/data/certs/*
docker-compose.yml
就我而言,我需要使用Docker主机的主机网络.这不是最佳做法,因此您的情况也不是必需的.请在 hub.docker.com/r/jboss/keycloak/中找到有关配置参数的信息. .
version: '3.7'
networks:
default:
external:
name: host
services:
keycloak:
container_name: keycloak_app
image: jboss/keycloak
depends_on:
- mariadb
restart: always
ports:
- "8080:8080"
- "8443:8443"
volumes:
- "/srv/docker/keycloak/data/certs/:/etc/x509/https" # map certificates to container
environment:
KEYCLOAK_USER: <user>
KEYCLOAK_PASSWORD: <pw>
KEYCLOAK_HTTP_PORT: 8080
KEYCLOAK_HTTPS_PORT: 8443
KEYCLOAK_HOSTNAME: sub.example.ocm
DB_VENDOR: mariadb
DB_ADDR: localhost
DB_USER: keycloak
DB_PASSWORD: <pw>
network_mode: host
mariadb:
container_name: keycloak_db
image: mariadb
volumes:
- "/srv/docker/keycloak/data/keycloak_db:/var/lib/mysql"
restart: always
environment:
MYSQL_ROOT_PASSWORD: <pw>
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: <pw>
network_mode: host
最终目录设置
这是我最终文件和文件夹设置的样子.
Final directory setup
This is how my final file and folder setup looks like.
$ cd /srv/docker/keycloak/
$ tree
.
├── config
│ └── docker-compose.yml
└── data
├── certs
│ ├── tls.crt
│ └── tls.key
└── keycloak_db
启动容器
最后,我能够使用docker-compose
启动软件.
$ cd /srv/docker/keycloak/config/
$ sudo docker-compose up -d
我们可以在容器中看到已安装的证书.
We can see the mounted certificates within the container.
$ cd /srv/docker/keycloak/config/
$ sudo docker-compose up -d
我们可以再次检查容器中已安装的证书.
We can doublecheck the mounted certificates within the container.
## open internal shell of keycloack container
$ sudo docker exec -it keycloak_app /bin/bash
## open directory of certificates
$ cd /etc/x509/https/
$ ll
-rw----r-- 1 root root 3586 Oct 30 14:21 tls.crt
-rw----r-- 1 root root 1708 Oct 30 14:20 tls.key
考虑来自docker-compose.yml的设置,现在可以在 https://sub.example中使用密钥斗篷. com:8443
Considerung the setup from the docker-compose.yml, keycloak is now available at https://sub.example.com:8443
这篇关于使用Docker映像的Keycloak SSL设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!