Postgres Plugin: SSL error: Certificates do not conform to algorithm constraints
Project ID: 47b600fc-286c-4eb8-8bbc-6f205e9a1418
Deploying keycloak on my project connected to the postgres plugin always fails. It manages to connect but fails because of an SSL certificate error. It seems you are using the SHA1withRSA algorithm which is weak and not allowed by Keycloak.
Error:
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
... 32 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
Adding SHA1 back to the list of allowed algorithms in Keycloak during docker build doesn't work as it seems we are not allowed access to the file system.
17 Replies
Project ID:
47b600fc-286c-4eb8-8bbc-6f205e9a1418Adding SHA1 back to the list of allowed algorithms in Keycloak during docker build doesn't work as it seems we are not allowed access to the file system.can you please elaborate further on this
@Brody Keycloak recently added SHA1 to the list of disabled ssl algos.
The general advice for devs encountering this issue when trying to connect to cloud db's still using this algo is to manually edit the java.config file to remove SH1 from the list of disabled algos during docker build https://github.com/keycloak/keycloak/issues/19185#issuecomment-1480763024
I have tried this, but that doesn't work on Railway. Everytime I try I get a permission denied, these are my logs. When I try to write to a temporary file and use that file as the new java.config: #5 DONE 4.4s #7 [builder 2/6] RUN sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /usr/share/crypto-policies/DEFAULT/java.txt #7 1.769 sed: couldn't open temporary file /usr/share/crypto-policies/DEFAULT/sedvMPHzX: Permission denied #7 ERROR: process "/bin/sh -c sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /usr/share/crypto-policies/DEFAULT/java.txt" did not complete successfully: exit code: 4
I have tried this, but that doesn't work on Railway. Everytime I try I get a permission denied, these are my logs. When I try to write to a temporary file and use that file as the new java.config: #5 DONE 4.4s #7 [builder 2/6] RUN sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /usr/share/crypto-policies/DEFAULT/java.txt #7 1.769 sed: couldn't open temporary file /usr/share/crypto-policies/DEFAULT/sedvMPHzX: Permission denied #7 ERROR: process "/bin/sh -c sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /usr/share/crypto-policies/DEFAULT/java.txt" did not complete successfully: exit code: 4
GitHub
Upgrade 21.0.1 from 20.0.5 - throws certificate error · Issue #1918...
Before reporting an issue I have searched existing issues I have reproduced the issue with the latest release Area core Describe the bug I upgraded my Keycloak image yesterday from 20.0.5 to 21.0.1...
can you show me where you are running that command from
@Brody This is the Dockerfile
FROM quay.io/keycloak/keycloak:22.0.1 AS builder
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
ENV KC_DB=postgres
RUN sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /etc/crypto-policies/back-ends/java.config
ADD --chown=keycloak:keycloak https://github.com/klausbetz/apple-identity-provider-keycloak/releases/download/1.7.0/apple-identity-provider-1.7.0.jar /opt/keycloak/providers/apple-identity-provider-1.7.0.jar
COPY themes/keywind/theme/keywind /opt/keycloak/themes/keywind
COPY realms /opt/keycloak/data/import
RUN /opt/keycloak/bin/kc.sh build
Final Image
FROM quay.io/keycloak/keycloak:22.0.1
Copying Keycloak
COPY --from=builder /opt/keycloak/ /opt/keycloak/
WORKDIR /opt/keycloak
ENV HOSTNAME=${HOSTNAME}
ENV KEYCLOAK_ADMIN=${KEYCLOAK_USER}
ENV KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD}
ARG PGHOST
ARG PGPORT
ARG PGDATABASE
ARG PGUSER
ARG PGPASSWORD
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
CMD ["start", "--proxy", "edge", "--hostname", "${HOSTNAME}", "--import-realm", "--db=postgres", "--db-url", "jdbc:postgresql://${PGHOST}:${PGPORT}/${PGDATABASE}", "--db-username", "${PGUSER}", "--db-password", "${PGPASSWORD}"]
hello, sorry ive had a busy day today.
i was able to build and deploy keycloak without any errors, ive only tested logging in, as i dont know what keycloak actually is, ive only heard about it when you opened this thread.
ive used this Dockerfile:
and instead of using sed to modify the
java.config file, we just copy in our own pre-modified config file as you can see, here is that pre modified file:
i have also used these service variables
No problem, thanks. Will check it out
Hello, I have this issue when tried to copy the dockerfile you send before, can you help with that please?
please read over the messages I have sent the original poster
I've read them and didn't find anything related to " /java.config: not found"
Did you face the same problem as mine when building the image you send here in chat?
#🛂|readme #5
Oh I see, sorry about that
if you had read the messages i had sent to the original poster, you would have read this message, where i provide the
java.config file, had you read this message and used this config file in your project, you would not be getting the java.config not found errorokay, I gotcha what did you mean, and now seems okay. Thanks
Just seen this @CheckMaathy . Is your deployment working now ?
Yeah!
It's working fine
I'm happy to hear that it's still working!