Postgres Plugin: SSL error: Certificates do not conform to algorithm constraints

Project ID: 47b600fc-286c-4eb8-8bbc-6f205e9a1418 Deploying keycloak on my project connected to the postgres plugin always fails. It manages to connect but fails because of an SSL certificate error. It seems you are using the SHA1withRSA algorithm which is weak and not allowed by Keycloak. Error: java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ... 32 more Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA Adding SHA1 back to the list of allowed algorithms in Keycloak during docker build doesn't work as it seems we are not allowed access to the file system.
17 Replies
Percy
Percy16mo ago
Project ID: 47b600fc-286c-4eb8-8bbc-6f205e9a1418
Brody
Brody16mo ago
Adding SHA1 back to the list of allowed algorithms in Keycloak during docker build doesn't work as it seems we are not allowed access to the file system.
can you please elaborate further on this
CodingAllTheTime
CodingAllTheTimeOP16mo ago
@Brody Keycloak recently added SHA1 to the list of disabled ssl algos. The general advice for devs encountering this issue when trying to connect to cloud db's still using this algo is to manually edit the java.config file to remove SH1 from the list of disabled algos during docker build https://github.com/keycloak/keycloak/issues/19185#issuecomment-1480763024
I have tried this, but that doesn't work on Railway. Everytime I try I get a permission denied, these are my logs. When I try to write to a temporary file and use that file as the new java.config: #5 DONE 4.4s  #7 [builder 2/6] RUN sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /usr/share/crypto-policies/DEFAULT/java.txt  #7 1.769 sed: couldn't open temporary file /usr/share/crypto-policies/DEFAULT/sedvMPHzX: Permission denied #7 ERROR: process "/bin/sh -c sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /usr/share/crypto-policies/DEFAULT/java.txt" did not complete successfully: exit code: 4
GitHub
Upgrade 21.0.1 from 20.0.5 - throws certificate error · Issue #1918...
Before reporting an issue I have searched existing issues I have reproduced the issue with the latest release Area core Describe the bug I upgraded my Keycloak image yesterday from 20.0.5 to 21.0.1...
Brody
Brody16mo ago
can you show me where you are running that command from
CodingAllTheTime
CodingAllTheTimeOP16mo ago
@Brody This is the Dockerfile FROM quay.io/keycloak/keycloak:22.0.1 AS builder ENV KC_HEALTH_ENABLED=true ENV KC_METRICS_ENABLED=true ENV KC_FEATURES=token-exchange ENV KC_DB=postgres RUN sed -i 's/jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048/jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048/' /etc/crypto-policies/back-ends/java.config ADD --chown=keycloak:keycloak https://github.com/klausbetz/apple-identity-provider-keycloak/releases/download/1.7.0/apple-identity-provider-1.7.0.jar /opt/keycloak/providers/apple-identity-provider-1.7.0.jar COPY themes/keywind/theme/keywind /opt/keycloak/themes/keywind COPY realms /opt/keycloak/data/import RUN /opt/keycloak/bin/kc.sh build Final Image FROM quay.io/keycloak/keycloak:22.0.1 Copying Keycloak COPY --from=builder /opt/keycloak/ /opt/keycloak/ WORKDIR /opt/keycloak ENV HOSTNAME=${HOSTNAME} ENV KEYCLOAK_ADMIN=${KEYCLOAK_USER} ENV KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD} ARG PGHOST ARG PGPORT ARG PGDATABASE ARG PGUSER ARG PGPASSWORD ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] CMD ["start", "--proxy", "edge", "--hostname", "${HOSTNAME}", "--import-realm", "--db=postgres", "--db-url", "jdbc:postgresql://${PGHOST}:${PGPORT}/${PGDATABASE}", "--db-username", "${PGUSER}", "--db-password", "${PGPASSWORD}"]
Brody
Brody16mo ago
hello, sorry ive had a busy day today. i was able to build and deploy keycloak without any errors, ive only tested logging in, as i dont know what keycloak actually is, ive only heard about it when you opened this thread. ive used this Dockerfile:
FROM quay.io/keycloak/keycloak:22.0.1 AS base

FROM base AS builder

ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
ENV KC_DB=postgres

ADD --chown=keycloak:keycloak https://github.com/klausbetz/apple-identity-provider-keycloak/releases/download/1.7.0/apple-identity-provider-1.7.0.jar /opt/keycloak/providers/apple-identity-provider-1.7.0.jar

COPY /themes/keywind/theme/keywind /opt/keycloak/themes/keywind

COPY /realms /opt/keycloak/data/import

RUN /opt/keycloak/bin/kc.sh build

FROM base AS final

COPY java.config /etc/crypto-policies/back-ends/java.config

WORKDIR /opt/keycloak

COPY --from=builder /opt/keycloak/ ./

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

CMD ["start", "--optimized", "--proxy", "edge", "--hostname", "${RAILWAY_STATIC_URL}", "--import-realm", "--db=postgres", "--db-url", "jdbc:postgresql://${PGHOST}:${PGPORT}/${PGDATABASE}", "--db-username", "${PGUSER}", "--db-password", "${PGPASSWORD}"]
FROM quay.io/keycloak/keycloak:22.0.1 AS base

FROM base AS builder

ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
ENV KC_DB=postgres

ADD --chown=keycloak:keycloak https://github.com/klausbetz/apple-identity-provider-keycloak/releases/download/1.7.0/apple-identity-provider-1.7.0.jar /opt/keycloak/providers/apple-identity-provider-1.7.0.jar

COPY /themes/keywind/theme/keywind /opt/keycloak/themes/keywind

COPY /realms /opt/keycloak/data/import

RUN /opt/keycloak/bin/kc.sh build

FROM base AS final

COPY java.config /etc/crypto-policies/back-ends/java.config

WORKDIR /opt/keycloak

COPY --from=builder /opt/keycloak/ ./

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

CMD ["start", "--optimized", "--proxy", "edge", "--hostname", "${RAILWAY_STATIC_URL}", "--import-realm", "--db=postgres", "--db-url", "jdbc:postgresql://${PGHOST}:${PGPORT}/${PGDATABASE}", "--db-username", "${PGUSER}", "--db-password", "${PGPASSWORD}"]
and instead of using sed to modify the java.config file, we just copy in our own pre-modified config file as you can see, here is that pre modified file:
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
jdk.tls.legacyAlgorithms=
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
jdk.tls.legacyAlgorithms=
i have also used these service variables
DATABASE_URL=${{Postgres.DATABASE_URL}}
KEYCLOAK_ADMIN=brody
KEYCLOAK_ADMIN_PASSWORD=q4u/rEhW=s#2Lj<cF?@y%6nM
PGDATABASE=${{Postgres.PGDATABASE}}
PGHOST=${{Postgres.PGHOST}}
PGPASSWORD=${{Postgres.PGPASSWORD}}
PGPORT=${{Postgres.PGPORT}}
PGUSER=${{Postgres.PGUSER}}
PORT=8080
DATABASE_URL=${{Postgres.DATABASE_URL}}
KEYCLOAK_ADMIN=brody
KEYCLOAK_ADMIN_PASSWORD=q4u/rEhW=s#2Lj<cF?@y%6nM
PGDATABASE=${{Postgres.PGDATABASE}}
PGHOST=${{Postgres.PGHOST}}
PGPASSWORD=${{Postgres.PGPASSWORD}}
PGPORT=${{Postgres.PGPORT}}
PGUSER=${{Postgres.PGUSER}}
PORT=8080
CodingAllTheTime
CodingAllTheTimeOP16mo ago
No problem, thanks. Will check it out
checkmaathy
checkmaathy16mo ago
Hello, I have this issue when tried to copy the dockerfile you send before, can you help with that please?
Brody
Brody16mo ago
please read over the messages I have sent the original poster
checkmaathy
checkmaathy16mo ago
I've read them and didn't find anything related to " /java.config: not found" Did you face the same problem as mine when building the image you send here in chat?
Brody
Brody16mo ago
#🛂|readme #5
checkmaathy
checkmaathy16mo ago
Oh I see, sorry about that
Brody
Brody16mo ago
if you had read the messages i had sent to the original poster, you would have read this message, where i provide the java.config file, had you read this message and used this config file in your project, you would not be getting the java.config not found error
checkmaathy
checkmaathy16mo ago
okay, I gotcha what did you mean, and now seems okay. Thanks
CodingAllTheTime
CodingAllTheTimeOP16mo ago
Just seen this @CheckMaathy . Is your deployment working now ?
checkmaathy
checkmaathy16mo ago
Yeah! It's working fine
Brody
Brody16mo ago
I'm happy to hear that it's still working!
Want results from more Discord servers?
Add your server