keycloak-SSL错误:证书不符合算法约束 [英] keycloak - SSL error: Certificates do not conform to algorithm constraints

问题描述

我正在使用此docker命令运行连接到Amazon RDS Postgres的密钥斗篷实例:

I am running a keycloak instance connected to Amazon RDS Postgres with this docker command:

docker run --rm --name keycloak \
-p 9090:8080 -e KEYCLOAK_USER=xxx \
-e KEYCLOAK_PASSWORD=xxx \
-e DB_VENDOR=postgres \
-e DB_ADDR=mydb2.xxx.rds.amazonaws.com:5432 \
-e DB_USER=xxx \
-e DB_PASSWORD=xxx \
-e DB_DATABASE=keycloak \
jboss/keycloak:latest

但是它无法连接到数据库:

But it cannot connect to the DB:

05:18:54,776 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".undertow-deployment" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: Failed to connect to database
    Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
    Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints
    Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
    Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=mydb2.xxx.us-east-1.rds.amazonaws.com.  Usage was tls server"}}

我可以确定以下几点:

• RDS实例可用，端口已打开.我用psql检查了.
• 这发生在jboss/keycloak:7.0.1上，而没有发生在jboss/keycloak:7.0.0上.版本7.0.0可以正常工作.

• The RDS instance is available, the port is open. I checked it with psql.
• This happens with the jboss/keycloak:7.0.1 and does not happen with jboss/keycloak:7.0.0. Version 7.0.0 works fine.

为什么会发生这种情况以及如何解决?

Why can this happen and how to fix it?

这可能是一个太宽泛的问题，但是我不是Java专家(我主要是Python)，所以这是我所能做到的.

This probably is too broad a question, but I am not a Java guy (I mostly do Python), so this is as narrow as I can do.

推荐答案

在 Jan Garaj的回答中提到了类似的Java版本.

Like is said in Jan Garaj's answer different Java versions are used.

之所以失败，是因为RDS使用的RSA密钥只有1024位长，而java.security仅允许长度超过1024位的密钥.

This is failing because the RSA key used by RDS is only 1024 bits long while java.security only allows keys longer than 1024 bits.

将RDS更新到新的证书颁发机构(rds-ca-2019)似乎会创建更长的密钥并解决此问题.

Updating your RDS to the new certificate authority (rds-ca-2019) seems to create longer keys and fix this issue.

AWS包含有关操作方法的文档这个.

这篇关于keycloak-SSL错误:证书不符合算法约束的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！