[keycloak] Could not open SSL root certificate file /opt/jboss/.postgresql/root.crt.

[tony-kerz]

using a custom docker image based on jboss/keycloak:6.0.1 which just grabs aws rds cert and packages it up to be able to use ssl...

values.yaml

keycloak:
  image:
    repository: registry.blah.com/ci/keycloak
    tag: 6.0.1-1.0.0
    pullPolicy: Always

  replicas: 1

  extraEnv: |
    - name: KEYCLOAK_LOGLEVEL
      value: INFO
    - name: JDBC_PARAMS
      value: ssl=true
    - name: _JAVA_OPTIONS
      value: "-Djavax.net.ssl.trustStore=/tmp/cacerts.jks"
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"

  password: s3cret

  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: internal
      ingress.kubernetes.io/affinity: cookie
    hosts:
      - keycloak.blah.com
    tls:
      - hosts:
        - keycloak.blah.com

  persistence:
    dbVendor: postgres
    dbName: keycloak
    dbHost: aurora-postgresql-infra.cluster-{blah}.us-east-1.rds.amazonaws.com
    dbUser: keycloak
    dbPassword: s3cret

Caused by: org.postgresql.util.PSQLException: Could not open SSL root certificate file /opt/jboss/.postgresql/root.crt.
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:120)
	at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:61)
	at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:33)
	at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
	at org.postgresql.Driver.makeConnection(Driver.java:454)
	at org.postgresql.Driver.connect(Driver.java:256)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
	... 55 more
Caused by: java.io.FileNotFoundException: /opt/jboss/.postgresql/root.crt (No such file or directory)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at java.io.FileInputStream.<init>(FileInputStream.java:93)
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:117)
	... 65 more

[unguiculus]

I never used _JAVA_OPTIONS. Could you try and see if this works:

keycloak:
  extraArgs: "-Djavax.net.ssl.trustStore=/tmp/cacerts.jks"

[akkie]

I'm also interested in a solution for this issue. @tony-kerz are there any news?

[akkie]

@tony-kerz if you add the cert to the default keystore, you don't need to specify a custom keystore.

Something like this:

FROM jboss/keycloak:6.0.1

USER root

COPY setu-ca.pem /etc/pki/CA/certs/setu-ca.pem
RUN openssl x509 -outform der -in /etc/pki/CA/certs/setu-ca.pem -out /etc/pki/ca-trust/source/anchors/setu-ca.crt
RUN update-ca-trust

USER 1000

[tony-kerz]

that could be simpler than what i'm doing @akkie, i'll check it out when i get the chance.

the solution that i found for this is to set the JDBC_PARAMS env-var as follows:

    - name: JDBC_PARAMS
      # https://github.com/pgjdbc/pgjdbc/issues/1307
      #
      value: ssl=true,sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory

looks like an issue in the postgres jdbc driver (see the above link)...

so i'll close this issue, thanks for the ideas @akkie and @unguiculus !