CODEWITHSUNDEEP
dockersslkeycloak
Data Mastery
Data Mastery

Reputation: 2085

Keycloak Error with Docker and Letsencrypt certificates again

I build a new website and want to run the Keycloak in a Docker Setup with the following command:

docker run \
 -v /etc/letsencrypt/live/data-mastery.com/fullchain.pem:/etc/x509/https/tls.crt \
 -v /etc/letsencrypt/live/data-mastery.com/privkey.pem:/etc/x509/https/tls.key \
 -e KEYCLOAK_USER=myadmin \
 -e KEYCLOAK_PASSWORD=mypassword \
 -e PROXY_ADDRESS_FORWARDING=true \
 -p 8443:8443 jboss/keycloak

This is my nginx:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }

}

server {
  listen                443;
  server_name           data-mastery.com;


  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  ssl_certificate /etc/letsencrypt/live/data-mastery.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/data-mastery.com/privkey.pem; # managed by Certbot

   location /auth/ {
       proxy_pass          https://127.0.0.1:8443;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 600s;

       proxy_redirect    off;
       proxy_set_header  Host             $http_host;
       proxy_set_header  X-Real-IP        $remote_addr;
       proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header  X-Forwarded-Proto $scheme;
     }

}



server {
    if ($host = data-mastery.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 ;
    listen [::]:80 ;
    server_name data-mastery.com;
    return 404; # managed by Certbot

}

I get the follwing Error/Warning, which actually helps me to see that there is a valid SSL Setup by Keycloak:

WARN: Establishing SSL connection without server's identity verification is not recommended
. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications no
t using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for s
erver certificate verification.

I set up all ciphers, ssl protocols and still it does not work, even though there seems to be a valid SSL Connection. However, when I access my /auth endpoint I get an error. I´m quite helpless.

ERROR [io.undertow.request] (default I/O-1) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common

Upvotes: 1

Views: 1349

Answers (1)

Alexandre LEROY
Alexandre LEROY

Reputation: 2280

maybe you can add cipher list accepted by your configuration. try that:

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

and you can also configure wanted protocols

ssl_protocols TLSv1.2 TLSv1.3;

ERROR [io.undertow.request] (default I/O-1) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common

This error tell us that your client and your server doesn't have a cipher in common to communicate. Check cipher used by your client, and cipher used by your server. Be sure there is at least one in common

Upvotes: 1

Related Questions