Nginx with Let's Encrypt to access keycloak auth dcm4hcee-arc/ui2

[Alexandre Marquez Filho]

I'm doing tests following this install option:

Run secured archive services and Elastic Stack on a single host. Use docker-compose.

https://github.com/dcm4che/dcm4chee-arc-light/wiki/Run-secured-archive-services-and-Elastic-Stack-on-a-single-host#use-docker-compose

I had several difficulties with nginx using reverse proxy from https (letsencrypt) to https(java keystore), to access keycloak auth and dcm4chee-arc/ui2

    location /auth {

      proxy_pass              https://localhost:8843/auth;

      proxy_set_header        Host $host;

      proxy_set_header        X-Real-IP $remote_addr;

      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header        X-Forwarded-Proto $scheme;

    }

    location /dcm4chee-arc {

      proxy_redirect off;

      proxy_pass              https://localhost:8443/dcm4chee-arc;

      proxy_set_header        Host $host;

      proxy_set_header        X-Real-IP $remote_addr;

      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header        X-Forwarded-Proto $https;

    }

when you access dcm4chee-arc/ui2, the redirect to auth of keycloak works, but when credentials validate and return to dcm4chee-arc, a "Forbidden" error occurs. An SSL error is reported in the log.

2018-07-24 11:07:09,189 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

One solution,  is to add the trust chain to the keystore permanently.

I use path /var/local/dcm4chee-arc on on docker-host.

#  keytool -trustcacerts -keystore /var/local/dcm4chee-arc/wildfly/configuration/dcm4chee-arc/cacerts.jks -storepass secret -noprompt -importcert -alias letsecnrypt -file /etc/letsencrypt/live//$domain/chain.pem 

#  keytool -trustcacerts -keystore /var/local/dcm4chee-arc/keycloak/configuration/keycloak/cacerts.jks -storepass secret -noprompt -importcert -alias letsecnrypt -file /etc/letsencrypt/live/$domain/chain.pem

https://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

https://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre/134/49

In my case, it worked, but I had to  down and up again all 8 containers.

Does anyone have a different approach or can it improve this?

What is the best way to integrate this solution with docker or docker-compose?

Thanks

[Lenin4ever]

https://github.com/dcm4che-dockerfiles/dcm4chee-arc-psql
rebuild your docker  dcm4chee-arc-psql  with parametr:
DISABLE_TRUST_MANAGER
If the Keycloak server requires HTTPS and this config option is set to true the Keycloak server’s certificate is is not validated via the truststore (optional, default value set is false).

вторник, 24 июля 2018 г. в 18:38:11 UTC+3, alexan...@gmail.com: