我使用这里的标准 Docker 镜像:https://hub.docker.com/r/jboss/keycloak/
然后我运行以下命令来构建它:
docker run \
-v /etc/letsencrypt/live/ds-gym.de/fullchain.pem:/etc/x509/https/fullchain.pem \
-v /etc/letsencrypt/live/ds-gym.de/privatekey.pem:/etc/x509/https/privatekey.pem \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-p 8443:8443 jboss/keycloak
不幸的是,我收到以下错误:
ERROR [io.undertow.request] (default I/O-1) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
我是否必须将文件转换为 .crt
和 .key?
我认为这无关紧要。我该如何解决这个问题?
最佳答案
似乎 Keycloak 没有使用您提供的私钥和证书。它们应作为 tls.key
和 tls.crt
提供
所以相应地改变你的坐骑应该足够了:
-v /etc/letsencrypt/live/ds-gym.de/fullchain.pem:/etc/x509/https/tls.crt \
-v /etc/letsencrypt/live/ds-gym.de/privatekey.pem:/etc/x509/https/tls.key \
我的 keycloak 实例也使用最新的 keycloak 版本和 LetsEncrypt 运行,没有任何问题
编辑:
我的 docker-compose 设置,也许它可以帮助你调试。
$ ls -l
-rw-r--r-- 1 user 197121 904 Dez 22 13:28 docker-compose.yml
-rw-r--r-- 1 user 197121 3566 Dez 22 13:28 fullchain.pem
-rw-r--r-- 1 user 197121 1708 Dez 22 13:28 privatekey.pem
docker-compose.yml
version: "3.7"
services:
mysql:
image: mysql:5.7
volumes:
- mysql_data:/var/lib/mysql
ports:
- 3306:3306
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
keycloak:
image: jboss/keycloak
ports:
- 8443:8443
environment:
PROXY_ADDRESS_FORWARDING: "true"
DB_VENDOR: MYSQL
DB_ADDR: mysql
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
JDBC_PARAMS: "useSSL=false"
volumes:
- mysql_data:/opt/jboss/mysql_data
- ./fullchain.pem:/etc/x509/https/tls.crt
- ./privatekey.pem:/etc/x509/https/tls.key
depends_on:
- mysql
links:
- mysql
volumes:
mysql_data:
driver: local
启动keycloak后,我可以通过SSL连接到它
$ curl -v 'https://localhost:8443'
0* Connected to localhost (127.0.0.1) port 8443 (#0)
...
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=mydomain.com
* start date: 2019-10-29 01:25:18 GMT
* expire date: 2020-01-27 01:25:18 GMT
* subjectAltName does not match localhost
* SSL: no alternative certificate subject name matches target host name 'localhost'
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, Client hello (1):
} [2 bytes data]
curl: (51) SSL: no alternative certificate subject name matches target host name 'localhost'
SSL 总体上正常工作,只是失败了,因为 LetsEnctypt 证书对本地主机无效 :-)
关于docker - Docker 和 Letsencrypt 证书的 Keycloak 错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59438777/