英文:
Setting up ssl/https for jboss/Keycloak
问题
我想请教如何为Keycloak设置https(http已经正确运行)。
Keycloak在Docker中运行(jboss/keycloak),在域集群模式下运行。目前,我只想让服务器响应,所以其他所有功能现在都不相关。我按照官方的Keycloak文档进行了设置:
使用的版本:Keycloak 9.0.2(WildFly Core 10.0.3.Final)
- host-master.xml
> <security-realm name="UndertowRealm">
> <server-identities>
> <ssl>
> <keystore path="/opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.keystore" keystore-password="123456keycloak" alias="t2rkeystore" />
> </ssl>
> </server-identities>
> </security-realm>
2.domain.xml
> <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server"... >
> <buffer-cache name="default"/>
> <server name="default-server">
> <ajp-listener name="ajp" socket-binding="ajp"/>
> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
> <https-listener name="https" socket-binding="https" security-realm="**UndertowRealm**" enable-http2="true" />
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <http-invoker security-realm="**UndertowRealm**"/>
> <filter-ref name="request-dumper"/>
> </host>
> </server>...
启动时显示https正在8443端口上运行
> keycloak_1 | [Server:auth-0] 13:18:15,700 INFO
> [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006:
> Undertow HTTPS listener https listening on 0.0.0.0:8443
操作系统也显示端口8443正在侦听
> tcp6 0 0 :::8443 :::* LISTEN
密钥库看起来也没问题:
> keytool -keystore
> /opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.keystore
> -list -v
>
> Alias name: t2rkeystore Creation date: Apr 3, 2020 Entry type:
> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
> CN=t2r, O=Default Company Ltd, L=Default City, C=SK Issuer:
> CN=tatramed.sk, O=Default Company Ltd, L=Default City, C=SK Serial
> number: e59614237777c77e Valid from: Thu Apr 02 09:20:36 GMT 2020
> until: Sun Mar 31 09:20:36 GMT 2030 Certificate fingerprints:
> SHA1: D7:20:9B:A0:B7:B6:67:B5:1A:CA:8C:72:66:3C:DF:43:EA:CD:2E:92
> SHA256: 5B:AA:19:45:D5:F6:41:48:B3:F1:85:A7:CB:F9:97:22:58:B2:F3:C7:F1:7E:83:DC:35:DB:B0:A7:B9:26:64:0F
> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm:
> 2048-bit RSA key Version: 1
但是在Chrome中打开页面会显示ERR_CONNECTION_REFUSED错误,使用curl也是相同的结果:
> curl -k -i -v --trace - https://localhost:8443 Warning: --trace
> overrides an earlier trace/verbose option
> == Info: About to connect() to localhost port 8443 (#0)
> == Info: Trying ::1...
> == Info: Connected to localhost (::1) port 8443 (#0)
> == Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
> == Info: NSS error -5938 (PR_END_OF_FILE_ERROR)
> == Info: Encountered end of file
> == Info: Closing connection 0 curl: (35) Encountered end of file
证书是使用以下方式使用openssl自行创建的:
> openssl genrsa -out keycloak.key 2048 openssl req -new -key
> keycloak.key -out keycloak.csr openssl x509 -req -days 3650 -in
> keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out
> keycloak.crt openssl pkcs12 -export -in keycloak.crt -inkey
> keycloak.key -out keycloak.p12 -name t2rkeystore -CAfile ca.crt
> //password: 123456keycloak
>
> keytool -importkeystore -deststorepass 123456keycloak -destkeystore
> /opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.keystore
> -srckeystore /opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.p12
> -srcstoretype PKCS12 -src
英文:
I would like to ask for help with setting up https for Keycloak (http is correctly running)
Keycloak is running in docker (jboss/keycloak) in domain clustered mode. For now, I just want to make server respond so all other features are irrelevant now. I followed the official keycloak docs and set up:
Using: Keycloak 9.0.2 (WildFly Core 10.0.3.Final)
- host-master.xml
> <security-realm name="UndertowRealm">
> <server-identities>
> <ssl>
> <keystore path="/opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.keystore" keystore-password="123456keycloak" alias="t2rkeystore" />
> </ssl>
> </server-identities>
> </security-realm>
2.domain.xml
> <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server"... >
> <buffer-cache name="default"/>
> <server name="default-server">
> <ajp-listener name="ajp" socket-binding="ajp"/>
> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
> <https-listener name="https" socket-binding="https" security-realm="**UndertowRealm**" enable-http2="true" />
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <http-invoker security-realm="**UndertowRealm**"/>
> <filter-ref name="request-dumper"/>
> </host>
> </server>...
Booting up shows that https is running on 8443 port
> keycloak_1 | [Server:auth-0] 13:18:15,700 INFO
> [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006:
> Undertow HTTPS listener https listening on 0.0.0.0:8443
also OS shows that port 8443 is listening
> tcp6 0 0 :::8443 :::* LISTEN
Keystore looks ok too:
> keytool -keystore
> /opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.keystore
> -list -v
>
> Alias name: t2rkeystore Creation date: Apr 3, 2020 Entry type:
> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
> CN=t2r, O=Default Company Ltd, L=Default City, C=SK Issuer:
> CN=tatramed.sk, O=Default Company Ltd, L=Default City, C=SK Serial
> number: e59614237777c77e Valid from: Thu Apr 02 09:20:36 GMT 2020
> until: Sun Mar 31 09:20:36 GMT 2030 Certificate fingerprints:
> SHA1: D7:20:9B:A0:B7:B6:67:B5:1A:CA:8C:72:66:3C:DF:43:EA:CD:2E:92
> SHA256: 5B:AA:19:45:D5:F6:41:48:B3:F1:85:A7:CB:F9:97:22:58:B2:F3:C7:F1:7E:83:DC:35:DB:B0:A7:B9:26:64:0F
> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm:
> 2048-bit RSA key Version: 1
But still, in chrome page results in ERR_CONNECTION_REFUSED
and curl too:
> curl -k -i -v --trace - https://localhost:8443 Warning: --trace
> overrides an earlier trace/verbose option
> == Info: About to connect() to localhost port 8443 (#0)
> == Info: Trying ::1...
> == Info: Connected to localhost (::1) port 8443 (#0)
> == Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
> == Info: NSS error -5938 (PR_END_OF_FILE_ERROR)
> == Info: Encountered end of file
> == Info: Closing connection 0 curl: (35) Encountered end of file
Certificates are self created using openssl in following way:
> openssl genrsa -out keycloak.key 2048 openssl req -new -key
> keycloak.key -out keycloak.csr openssl x509 -req -days 3650 -in
> keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out
> keycloak.crt openssl pkcs12 -export -in keycloak.crt -inkey
> keycloak.key -out keycloak.p12 -name t2rkeystore -CAfile ca.crt
> //password: 123456keycloak
>
> keytool -importkeystore -deststorepass 123456keycloak -destkeystore
> /opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.keystore
> -srckeystore /opt/jboss/keycloak/domain/servers/auth-0/configuration/keycloak.p12
> -srcstoretype PKCS12 -srcstorepass 123456keycloak
Also tried "elytron->server-ssl-context" way, with same result 
Is there something I missing?
Thank you for any advices...
专注分享java语言的经验与见解,让所有开发者获益!
评论