Unable to enable SSL in Keycloack 16.1.0 standalone

[Vaibhav Saxena]

Hello,

I need some help in configuring SSL.

Steps I performed.

1. Configured Keycloak in an Azure Windows VM (having a DNS mapped to public IP)
2. from internet able to open both pages
1. https://<DNS>:8443/auth/ (with not secure error at this time)
2. http:// <DNS>:8080/auth/
   
3. generated a private key and keystore using command inside standalone/configuration folder >> keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keycloak.jks -dname "CN=XXX, OU=XXX, O=XXX, L=XXX, ST=XXX, C=XXX"
4. created a CSR  >> keytool -certreq -alias server -file XXX.csr -keystore keycloak.jks
5. Obtained Root,CA and SSL Certs and imported them in keystore:
   
1. keytool -import -trustcacerts -alias root -file XXX.crt -keystore keycloak.jks -storepass XXX
2. keytool -import -trustcacerts -alias intermediate -file XXXCA.crt -keystore keycloak.jks -storepass XXX
3. keytool -import -trustcacerts -alias domain -file XXX.crt -keystore keycloa.jks -storepass XXX
6. followed the documentation and ran below commands from jboss cli:
1. $ /subsystem=elytron/key-store=httpsKS:add(relative-to=jboss.server.config.dir,path=keycloak.jks,credential-reference={clear-text=XXX},type=JKS)
2. $ /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=XXX})
3. $ /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.3"])
4. $ /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=httpsSSC)
5. reloaded jboss
7. restarted keycloak

After this https url stopped working. even from inside the VM https://localhost:8443/auth/ also not working

http one is working fine.

Please help, what step I am missing here.

[Jan Lieskovsky]

On Tue, Jan 4, 2022 at 4:28 PM Vaibhav Saxena <vsaxe...@gmail.com> wrote:

Hello,

I need some help in configuring SSL.

Steps I performed.

1. Configured Keycloak in an Azure Windows VM (having a DNS mapped to public IP)
2. from internet able to open both pages
1. https://<DNS>:8443/auth/ (with not secure error at this time)
2. http:// <DNS>:8080/auth/
   
3. generated a private key and keystore using command inside standalone/configuration folder >> keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keycloak.jks -dname "CN=XXX, OU=XXX, O=XXX, L=XXX, ST=XXX, C=XXX"
4. created a CSR  >> keytool -certreq -alias server -file XXX.csr -keystore keycloak.jks
5. Obtained Root,CA and SSL Certs and imported them in keystore:
   
1. keytool -import -trustcacerts -alias root -file XXX.crt -keystore keycloak.jks -storepass XXX
2. keytool -import -trustcacerts -alias intermediate -file XXXCA.crt -keystore keycloak.jks -storepass XXX
3. keytool -import -trustcacerts -alias domain -file XXX.crt -keystore keycloa.jks -storepass XXX

There's a typo "keycloa.jks" in the step 3. vs "keycloak.jks" in other two steps & the elytron configuration below.

The rest of the steps / configuration LGTM AFAICT.

 

1. followed the documentation and ran below commands from jboss cli:
1. $ /subsystem=elytron/key-store=httpsKS:add(relative-to=jboss.server.config.dir,path=keycloak.jks,credential-reference={clear-text=XXX},type=JKS)
2. $ /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=XXX})
3. $ /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.3"])
4. $ /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=httpsSSC)
5. reloaded jboss
2. restarted keycloak

After this https url stopped working. even from inside the VM https://localhost:8443/auth/ also not working

http one is working fine.

Please help, what step I am missing here.

If you start Keycloak with SSL debugging enabled (with -Djavax.net.debug=all option), can you see the expected

(above generated) certificates in that verbose output?

 

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CADv9axQ0Ro9zqzPRvX5u0G%2BHJxsVN3gTiymJBByQCPN%3DGwnJWA%40mail.gmail.com.