问题
I am running a keycloak instance connected to Amazon RDS Postgres with this docker command:
docker run --rm --name keycloak \
-p 9090:8080 -e KEYCLOAK_USER=xxx \
-e KEYCLOAK_PASSWORD=xxx \
-e DB_VENDOR=postgres \
-e DB_ADDR=mydb2.xxx.rds.amazonaws.com:5432 \
-e DB_USER=xxx \
-e DB_PASSWORD=xxx \
-e DB_DATABASE=keycloak \
jboss/keycloak:latest
But it cannot connect to the DB:
05:18:54,776 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".undertow-deployment" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=mydb2.xxx.us-east-1.rds.amazonaws.com. Usage was tls server"}}
I am sure about the following:
- The RDS instance is available, the port is open. I checked it with
psql. - This happens with the
jboss/keycloak:7.0.1and does not happen withjboss/keycloak:7.0.0. Version7.0.0works fine.
Why can this happen and how to fix it?
This probably is too broad a question, but I am not a Java guy (I mostly do Python), so this is as narrow as I can do.
回答1:
Like is said in Jan Garaj's answer different Java versions are used.
This is failing because the RSA key used by RDS is only 1024 bits long while java.security only allows keys longer than 1024 bits.
Updating your RDS to the new certificate authority (rds-ca-2019) seems to create longer keys and fix this issue.
AWS has documentation on how to do this.
回答2:
It looks like a problem with Java security. There are used different Java versions (1.8 vs 11), so it may need some tweaks in java.security or cipher configuration on RDS side (if is possible):
You can compare and tweak 7.0.1 java.security file:
$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.1 \
-c 'cat /etc/java/java-11-openjdk/java-11-openjdk-*/conf/security/java.security | grep -v ^# | grep -v ^$'
$ docker run --rm -ti --entrypoint bash jboss/keycloak:7.0.0 \
-c 'cat /usr/lib/jvm/java-1.8.0-openjdk-*/jre/lib/security/java.security | grep -v ^# | grep -v ^$'
来源:https://stackoverflow.com/questions/58796587/keycloak-ssl-error-certificates-do-not-conform-to-algorithm-constraints