New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS to keycloak with self-signed root cert #2010
Comments
Sorry for the late reply @GeneralLuzi - I missed the notification for this issue. :( @carlesarnal what do you think about this one? We have documentation in registry for something similar I think, no? |
No, I don't think we have documentation for this in Registry. That said, now that studio is a Quarkus app, I recommend playing with Quarkus available configuration in the OIDC extension, since setting the truststore appropriately must solve this issue. |
Tentatively closing this one as we have proposed a solution. If you try and the configuration does not work, please, re-open it at your convenience. |
Sorry to revive an old issue, but I somehow fail to understand from the Quarkus docs how to trust a certificate without rebuilding the entire application. Can you add some guidance as to how I would rebuild apicurio-ui and apicurio-api after creating a custom truststore? Or is there something else I am missing? |
You don't need to rebuild the entire application, but I think you probably do need to create your own dockerfile. This usually means extending the application container image (in this case the Apicurio Studio images) and adding some There is a reasonable discussion on this here: https://stackoverflow.com/questions/41497871/importing-self-signed-cert-into-dockers-jre-cacert-is-not-recognized-by-the-ser I haven't done this myself so I can't give you precise instructions. |
Thanks for the quick response! I do understand the issue about building the truststore via keytool - we are already doing that and providing a java truststore inside a custom image. Initially I misunderstood the Quarkus documentation and thought it only offered truststore configuration at build time: https://quarkus.io/guides/native-and-ssl#build-time-configuration However it also offers configuration at build time via GraalVM runtime options: https://www.graalvm.org/22.3/reference-manual/native-image/dynamic-features/CertificateManagement/#runtime-options I have tried setting the mentioned properties via environment variables. I have tried these combinations:
I have also tried setting The only option I have found as a quickfix is removing the https redirect on Keycloak. But this is a major security concern because now credentials will be sent in plaintext. Is there a possibility that the |
Hello!
I run Apicurio within a docker swarm stack ( image: 'apicurio/apicurio-studio-ui:0.2.58.Final'). The keycloak instance I have to use is only reachable over TLS.
The Apicurio container includes a trust store in which I included the needed certificats. (the self signed root cert, intermediate certs, keycloak server certs, etc.). I checked the availablity of the truststore within the container.
I started apucirio with the following JAVA_TOOL_OPTIONS:
-Djavax.net.ssl.trustStore=/trust/truststore.jks, -Djavax.net.ssl.trustStorePassword=xxx
I can confirm, that these option were used during container start up.
The following error message I got while trying to connect to keycloak:
Is there a different way to incoperate a trust store?
Thanks in advanced!
The text was updated successfully, but these errors were encountered: