Keycoak with certificate from cert-manager not working

[suchitsancheti]

Name and Version

bitnami/keycloak 9.6.7

What steps will reproduce the bug?

1. I have configured the cert-manager to generate the certificate for keycloak SSL:

   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
   name: keycloak-certificate
   namespace: keycloak
   spec:
   secretName: keycloak-certificate
   duration: 2160h
   renewBefore: 48h
   issuerRef:
   name: keycloak-issuer
   kind: Issuer
   commonName: quarkus.test.cloud
   dnsNames:
   - quarkus.test.cloud
   isCA: true
   keystores:
   jks:
     create: true
     passwordSecretRef:
       key: cert_password
       name: keycloak-cert-secret

   The certificate is created with following secret key values:

   
   Type:  kubernetes.io/tls

Data

ca.crt: 700 bytes keystore.jks: 2701 bytes tls.crt: 1196 bytes tls.key: 1679 bytes truststore.jks: 533 bytes

2. I have configured the keycloak as:

auth: existingSecretPerPassword: keyMapping: adminPassword: admin_password databasePassword: DB_PASSWORD tlsKeystorePassword: cert_password tlsTruststorePassword: cert_password adminPassword: name: keycloak-cert-secret databasePassword: name: keycloak_db_pass tlsKeystorePassword: name: keycloak-cert-secret tlsTruststorePassword: name: keycloak-cert-secret tls: enabled: true autoGenerated: false usePem: false existingSecret: keycloak-certificate truststoreFilename: keystore.jks keystoreFilename: truststore.jks

extraEnvVars:

• name: KEYCLOAK_PRODUCTION value: "true"
• name: KEYCLOAK_EXTRA_ARGS value: "--auto-build"

• name: KEYCLOAK_LOG_LEVEL value: DEBUG

  postgresql: enabled: false

  externalDatabase: host: postgresql.test.cloud port: 5432 user: postgres database: keycloak existingSecret: keycloak_db_pass existingSecretPasswordKey: DB_PASSWORD

3. After applying the above changes, I am getting the following errors:

   
   Server configuration updated and persisted. Run the following command to review the configuration:
   
   kc.sh show-config

Next time you run the server, just run:

kc.sh start -cf=/opt/bitnami/keycloak/conf/keycloak.conf

2022-08-08 04:36:58,620 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: , Strict HTTPS: true, Path: , Strict BackChannel: false, Admin: , Port: -1, Proxied: true 2022-08-08 04:36:59,747 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal 2022-08-08 04:36:59,961 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled 2022-08-08 04:37:00,106 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller' 2022-08-08 04:37:00,644 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.9.Final 2022-08-08 04:37:01,328 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_325824, Site name: null 2022-08-08 04:37:02,303 ERROR [org.keycloak.services] (main) KC-SERVICES0010: Failed to add user 'user' to realm 'master': user with username exists 2022-08-08 04:37:02,626 ERROR [io.netty.util.concurrent.DefaultPromise.rejectedExecution] (Finalizer) Failed to submit a listener notification task. Event loop shut down?: java.util.concurrent.RejectedExecutionException: event executor terminated at io.netty.util.concurrent.SingleThreadEventExecutor.reject(SingleThreadEventExecutor.java:923) at io.netty.util.concurrent.SingleThreadEventExecutor.offerTask(SingleThreadEventExecutor.java:350) at io.netty.util.concurrent.SingleThreadEventExecutor.addTask(SingleThreadEventExecutor.java:343) at io.netty.util.concurrent.SingleThreadEventExecutor.execute(SingleThreadEventExecutor.java:825) at io.netty.util.concurrent.SingleThreadEventExecutor.execute(SingleThreadEventExecutor.java:815) at io.netty.util.concurrent.DefaultPromise.safeExecute(DefaultPromise.java:841) at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:499) at io.netty.util.concurrent.DefaultPromise.addListener(DefaultPromise.java:184) at io.netty.util.concurrent.DefaultPromise.addListener(DefaultPromise.java:35) at io.vertx.core.net.impl.TCPServerBase.actualClose(TCPServerBase.java:271) at io.vertx.core.net.impl.TCPServerBase.close(TCPServerBase.java:264) at io.vertx.core.http.impl.HttpServerImpl.close(HttpServerImpl.java:267) at io.vertx.core.http.impl.HttpServerImpl.close(HttpServerImpl.java:238) at io.vertx.core.net.impl.TCPServerBase.finalize(TCPServerBase.java:304) at java.base/java.lang.System$2.invokeFinalize(System.java:2125) at java.base/java.lang.ref.Finalizer.runFinalizer(Finalizer.java:87) at java.base/java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:171)

2022-08-08 04:37:02,631 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode 2022-08-08 04:37:02,631 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start HTTP server 2022-08-08 04:37:02,632 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: io.vertx.core.VertxException: java.io.IOException: Keystore was tampered with, or password was incorrect 2022-08-08 04:37:02,632 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: java.io.IOException: Keystore was tampered with, or password was incorrect 2022-08-08 04:37:02,632 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Keystore was tampered with, or password was incorrect 2022-08-08 04:37:02,633 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Password verification failed 2022-08-08 04:37:02,633 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

### Are you using any custom parameters or values?

No

### What is the expected behavior?

Keycloak should start in production mode with SSL enabled

### What do you see instead?

Kecloak fails to start with the following error:

Server configuration updated and persisted. Run the following command to review the configuration:

kc.sh show-config

Next time you run the server, just run:

kc.sh start -cf=/opt/bitnami/keycloak/conf/keycloak.conf

2022-08-08 04:36:58,620 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: , Strict HTTPS: true, Path: , Strict BackChannel: false, Admin: , Port: -1, Proxied: true 2022-08-08 04:36:59,747 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal 2022-08-08 04:36:59,961 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled 2022-08-08 04:37:00,106 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller' 2022-08-08 04:37:00,644 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.9.Final 2022-08-08 04:37:01,328 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_325824, Site name: null

### Additional information

_No response_

[migruiz4]

Hi @suchitsancheti,

The following errors could aim to Keycloak not being able to open the Keystore:

2022-08-08 04:37:02,632 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: java.io.IOException: Keystore was tampered with, or password was incorrect
2022-08-08 04:37:02,632 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Keystore was tampered with, or password was incorrect
2022-08-08 04:37:02,633 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Password verification failed

Could you please run the following command to ensure the Keystore is accessible with the password provided?

keytool -list -v -keystore /opt/bitnami/keycloak/certs/keycloak.keystore.jks -storepass <your_password>

According to your configuration, both the keystore and truststore password should match the value stored at secret:keycloak-cert-secret, key: cert_password.

If the password is correct, you should see something like this:

$ keytool -list -v -keystore keycloak.keystore.jks -storepass fRnmZjes0B
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry
...

[suchitsancheti]

@migruiz4 It was the keystore password issue as pointed by you. After correcting the password, I was able to deploy the keycloak. Thanks for your help.

[migruiz4]

@suchitsancheti Thank you for your feedback! I will then close this issue.