keycloak-SSL错误:证书不符合算法约束 [英] keycloak - SSL error: Certificates do not conform to algorithm constraints
问题描述
我正在使用此docker命令运行连接到Amazon RDS Postgres的密钥斗篷实例:
I am running a keycloak instance connected to Amazon RDS Postgres with this docker command:
docker run --rm --name keycloak \
-p 9090:8080 -e KEYCLOAK_USER=xxx \
-e KEYCLOAK_PASSWORD=xxx \
-e DB_VENDOR=postgres \
-e DB_ADDR=mydb2.xxx.rds.amazonaws.com:5432 \
-e DB_USER=xxx \
-e DB_PASSWORD=xxx \
-e DB_DATABASE=keycloak \
jboss/keycloak:latest
但是它无法连接到数据库:
But it cannot connect to the DB:
05:18:54,776 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".undertow-deployment" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=mydb2.xxx.us-east-1.rds.amazonaws.com. Usage was tls server"}}
我可以确定以下几点:
- RDS实例可用,端口已打开.我用
psql
检查了. - 这发生在
jboss/keycloak:7.0.1
上,而没有发生在jboss/keycloak:7.0.0
上.版本7.0.0
可以正常工作.
- The RDS instance is available, the port is open. I checked it with
psql
. - This happens with the
jboss/keycloak:7.0.1
and does not happen withjboss/keycloak:7.0.0
. Version7.0.0
works fine.
为什么会发生这种情况以及如何解决?
Why can this happen and how to fix it?
这可能是一个太宽泛的问题,但是我不是Java专家(我主要是Python),所以这是我所能做到的.
This probably is too broad a question, but I am not a Java guy (I mostly do Python), so this is as narrow as I can do.
推荐答案
在 Jan Garaj的回答中提到了类似的Java版本.
Like is said in Jan Garaj's answer different Java versions are used.
之所以失败,是因为RDS使用的RSA密钥只有1024位长,而java.security
仅允许长度超过1024位的密钥.
This is failing because the RSA key used by RDS is only 1024 bits long while java.security
only allows keys longer than 1024 bits.
将RDS更新到新的证书颁发机构(rds-ca-2019
)似乎会创建更长的密钥并解决此问题.
Updating your RDS to the new certificate authority (rds-ca-2019
) seems to create longer keys and fix this issue.
这篇关于keycloak-SSL错误:证书不符合算法约束的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!