Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS to keycloak with self-signed root cert #2010

Closed
GeneralLuzi opened this issue Sep 15, 2022 · 6 comments
Closed

TLS to keycloak with self-signed root cert #2010

GeneralLuzi opened this issue Sep 15, 2022 · 6 comments
Labels
component/studio priority/normal

Comments

@GeneralLuzi
Copy link

GeneralLuzi commented Sep 15, 2022
edited

Hello!

I run Apicurio within a docker swarm stack ( image: 'apicurio/apicurio-studio-ui:0.2.58.Final'). The keycloak instance I have to use is only reachable over TLS.

The Apicurio container includes a trust store in which I included the needed certificats. (the self signed root cert, intermediate certs, keycloak server certs, etc.). I checked the availablity of the truststore within the container.

I started apucirio with the following JAVA_TOOL_OPTIONS:
-Djavax.net.ssl.trustStore=/trust/truststore.jks, -Djavax.net.ssl.trustStorePassword=xxx
I can confirm, that these option were used during container start up.

The following error message I got while trying to connect to keycloak:

2022-09-15 11:49:55,558 ERROR [io.und.req.io] (executor-thread-0) Exception handling request 84b30f21-beae-4b70-8d8a-97a9a2800b82-3 to /: io.quarkus.oidc.OIDCException: OIDC server is not available at the 'https://keycloak.domain/auth/realms/realm-name' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'
[...]
Caused by: javax.net.ssl.SSLHandshakeException: No X509TrustManager implementation available
[...]
Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
[...]

Is there a different way to incoperate a trust store?

Thanks in advanced!
@EricWittmann
Copy link
Member

Sorry for the late reply @GeneralLuzi - I missed the notification for this issue. :(

@carlesarnal what do you think about this one? We have documentation in registry for something similar I think, no?

@carlesarnal
Copy link
Member

No, I don't think we have documentation for this in Registry. That said, now that studio is a Quarkus app, I recommend playing with Quarkus available configuration in the OIDC extension, since setting the truststore appropriately must solve this issue.

@carlesarnal
Copy link
Member

Tentatively closing this one as we have proposed a solution. If you try and the configuration does not work, please, re-open it at your convenience.

@jscheytt
Copy link

jscheytt commented Jul 3, 2023

Sorry to revive an old issue, but I somehow fail to understand from the Quarkus docs how to trust a certificate without rebuilding the entire application. Can you add some guidance as to how I would rebuild apicurio-ui and apicurio-api after creating a custom truststore? Or is there something else I am missing?

@EricWittmann
Copy link
Member

You don't need to rebuild the entire application, but I think you probably do need to create your own dockerfile. This usually means extending the application container image (in this case the Apicurio Studio images) and adding some keytool magic to import the appropriate cert into the java truststore. Another approach would be to mount a volume with your custom truststore and then add the appropriate startup flags to the Java app to make it use that store instead of the default.

There is a reasonable discussion on this here: https://stackoverflow.com/questions/41497871/importing-self-signed-cert-into-dockers-jre-cacert-is-not-recognized-by-the-ser

I haven't done this myself so I can't give you precise instructions.

@jscheytt
Copy link

jscheytt commented Jul 3, 2023

Thanks for the quick response!

I do understand the issue about building the truststore via keytool - we are already doing that and providing a java truststore inside a custom image.

Initially I misunderstood the Quarkus documentation and thought it only offered truststore configuration at build time: https://quarkus.io/guides/native-and-ssl#build-time-configuration However it also offers configuration at build time via GraalVM runtime options: https://www.graalvm.org/22.3/reference-manual/native-image/dynamic-features/CertificateManagement/#runtime-options

I have tried setting the mentioned properties via environment variables. I have tried these combinations:

  1. javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword -> no effect
  2. JAVAX_NET_SSL_TRUSTSTORE and JAVAX_NET_SSL_TRUSTSTOREPASSWORD -> no effect

I have also tried setting APICURIO_KC_DISABLE_TRUST_MANAGER explicitly to true (althought the documentation at https://hub.docker.com/r/apicurio/apicurio-studio-ui says that already is the default value). This did not help either.

The only option I have found as a quickfix is removing the https redirect on Keycloak. But this is a major security concern because now credentials will be sent in plaintext.

Is there a possibility that the APICURIO_KC_DISABLE_TRUST_MANAGER has suddenly stopped working? Is there any sensible fix that we can deploy so that at least Keycloak can keep running on https?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/studio priority/normal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@EricWittmann @GeneralLuzi @carlesarnal @jscheytt