java - keycloak - SSL 错误 : Certificates do not conform to algorithm constraints

我正在使用以下 docker 命令运行连接到 Amazon RDS Postgres 的 keycloak 实例:

docker run --rm --name keycloak \
-p 9090:8080 -e KEYCLOAK_USER=xxx \
-e KEYCLOAK_PASSWORD=xxx \
-e DB_VENDOR=postgres \
-e DB_ADDR=mydb2.xxx.rds.amazonaws.com:5432 \
-e DB_USER=xxx \
-e DB_PASSWORD=xxx \
-e DB_DATABASE=keycloak \
jboss/keycloak:latest

但无法连接到数据库:

05:18:54,776 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".undertow-deployment" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: Failed to connect to database
    Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
    Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints
    Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
    Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=mydb2.xxx.us-east-1.rds.amazonaws.com.  Usage was tls server"}}

我确信以下几点:

RDS 实例可用，端口已打开。我用psql检查过。
jboss/keycloak:7.0.1 会发生这种情况，jboss/keycloak:7.0.0 则不会发生这种情况。版本7.0.0工作正常。

为什么会发生这种情况以及如何解决？

这可能是一个太宽泛的问题，但我不是 Java 人员(我主要使用 Python)，所以这是我所能做到的最狭窄的问题。

最佳答案

就像 Jan Garaj's answer 中所说的那样使用不同的 Java 版本。

此操作失败，因为 RDS 使用的 RSA key 只有 1024 位长，而 java.security 只允许长度超过 1024 位的 key 。

将您的 RDS 更新到新的证书颁发机构 (rds-ca-2019) 似乎会创建更长的 key 并解决此问题。

AWS has documentation on how to do this.

关于java - keycloak - SSL 错误 : Certificates do not conform to algorithm constraints，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/58796587/

java - keycloak - SSL 错误 : Certificates do not conform to algorithm constraints

上一篇：java - while 和 if 语句中无法访问代码

下一篇：java - 如何在 Pattern.compile() 中转义管道字符