Issue with .well-known Configuration

[JustCodeIt4Head]

Hello, I tried to Set up Catalyst with the respective Guide at https://catalyst-soar.com/docs/catalyst/admin/install and run into some Issues with my Setup, I believe. I'm getting the Error:

and

I currently don't use a dedicated OpenID Connect system, so I kept the Default Values for that, since commenting out lead to Errors related to OIDC.

Step 5-6C says to create a Keycloak Client, but as far as I'm aware (and the linked documentation describes) that's only possible in the Keycloak Web interface, which is started in Step 6, is my Issue in that Step?

My Server is virtualized via Proxmox. The Traffic is routed via a Sophos XG Virtual Appliance to a Reverse Proxy VM and from there routed to the VM that runs Catalyst. Had no Issues so far setting up other systems like matrix synapse, so I don't think my routing outside the vm should be an Issue.

Cheers

[cugu]

True, I have a circular dependency there. I'll improve that setup description. Also I consider removing Keycloak as a dependency, to make it easier to setup.

For now you have two options:

1. Start Keycloak before
   1. Comment the catalyst container out in the docker-compose.yml
   2. Start the system (docker-compose -f docker-compose.yml -f docker-compose-ssl.yml up)
   3. Setup a Keycloak client
   4. Continue with 5.vi.c
2. Use the existing catalyst client
   1. Set the environment variables to: OIDC_CLIENT_ID: catalyst OIDC_ISSUER: https://_YOURDOMAIN_OR_IP.EXAMPLE.COM_:9002/auth/realms/catalyst OIDC_CLIENT_SECRET: d3ec0d91-b6ea-482d-8a4e-2f5a7ca0b4cb
   2. You should change the catalyst client secret afterwards as this one is public

[JustCodeIt4Head]

Hi, Way 2 did the trick and Keycloak was reachable, and a User could be created. However, Catalyst is not reachable via the Domain. The Server Displays a 502 and the Log reads that Catalyst could not be found, and I suspect an Issue with the .yml.

Does the EXTERNAL_ADDRESS in docker-compose.yml and in docker-compose-ssl.yml have to be the same (so in my case catalyst.mydomain.com)?

[cugu]

You just need EXTERNAL_ADDRESS it in one place. This is EXTERNAL_ADDRESS: https://try.catalyst-soar.com for the online test instance for example.

There is also CATALYST_ADDRESS that is used for internal connections. It is http://catalyst:8000 as a default which should be sufficient, if you did not change the setup.

[JustCodeIt4Head]

Hello, the Issue seems related to the SSL certificates that are being used it seems. The Catalyst container is permanently restarting with the following Error when i use the provided SSL Certificate from the Repo:

When i use my own certificate from Lets Encrypt, I get this Error:

I tried to figure out how to add a certificate to Keycloak for validation, but it seems that Keycloak does not support that via the GUI. I used the internal IP (10.10.10.13) for the External Address as well as for the Keycloak Base URL. Keycloak works fine.

[cugu]

You can add the certificates to the nginx reverse proxy and then reference this one and not Keycloak directly.

[JustCodeIt4Head]

I replaced both cert and key with my own certs, thats what leads to the 2nd screenshot.

How can i change the reference from Keycloak to direct authentication? Since the Catalyst container wont even start bc of the Message shown above

[cugu]

Currently catalyst requires a OIDC provider and does not run without.

As far as I know lets encrypt does not issue certificates for IP addresses. Did that change? Otherwise you have to use the domain for OIDC_ISSUER not the 10.10.10.13 IP (e.g. https://try.catalyst-soar.com:9002/auth/realms/catalyst for the online test instance).

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.