search

c0c0n3 / kitt4sme.live

On a mission to bring AI to the shop floor: https://kitt4sme.eu/
MIT License
1 stars 28 forks source link

New TSL certificate won't work with AQ #291

Closed c0c0n3 closed 1 year ago

c0c0n3 commented 1 year ago

Describe the bug

If I configure AQ to log in with Keycloak, it tries pulling down the OIDC well-known config from

(notice the scheme is https, not http) but it fails with a certificate validation error.

To Reproduce

Steps to reproduce the behavior:

  1. Deploy the new AQ in the aq-update branch.
  2. Browse to https://kitt4sme.collab-cloud.eu/aq/
  3. You should see a "ERR_TOO_MANY_REDIRECTS" error, ignore it for now, I think that's a side effect of the error below
  4. Go look at the AQ logs: kubectl logs deployment/aq, you should see an error similar to this 
    2023-05-04 20:38:42.906 WARN  org.keycloak.adapters.KeycloakDeployment                         Failed to load URLs from https://kitt4sme.collab-cloud.eu/auth/realms/kitt4sme/.well-known/openid-configuration
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  5. If you scroll through the log entries, you should see a bunch of NPEs probably caused by the above error

Expected behavior

I should be able to log in with Keycloak when hitting the AQ landing page.

Additional context

Read about a similar TLS/SSO saga over here: #230

karikolehmainen commented 1 year ago

Is there a branch I can use for testing on my local deployement? aq-update brach I coulnd't find (is it public)

c0c0n3 commented 1 year ago

@karikolehmainen we merged the aq-update branch into main and then deleted it---sorry about that.

To reproduce, you need to comment these lines back in:

karikolehmainen commented 1 year ago

Ok I need to rephrase, as I think the Keycloak uses the Isio certificates created in the issue #231 That issue has to be solved more properly asper instructions in: https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/ CA certs are there in the server, but I have to test this first because instructions are for self-signed certificates and we are using real ones.

Old Keycloak Docker relates comment: I am inclined to think that this error is caused by Keycloak not having properly set Java keystore. There is two way sto set certificates with Keycloak one of provideing pulic/private key pair ( which I think we have done) and other of providing keystore which includes CA and subCA certifictes (along with server certs) . See: https://www.keycloak.org/server/enabletls Steps to create keystore:

keytool -import -trustcacerts -alias root2 -file SSL_COM_ROOT_CERTIFICATION_AUTHORITY_RSA.crt -keystore keycloak.jks
keytool -import -trustcacerts -alias INTER -file SSL_COM_RSA_SSL_SUBCA.crt -keystore keycloak.jks
keytool -import -trustcacerts -alias *.collab-cloud.eu -file STAR_collab-cloud_eu.crt -keystore keycloak.jks

This requires setting of keystore password that have to be configured for Keycloak. Now this is the way it can be done with Docker. With Kubernetes the process might be different and involve the use of secrets and such

karikolehmainen commented 1 year ago

Created the CA certs to Istio with this command and links in the issue description work, so problem is fixed I hope.

kubectl create secret generic cacerts -n istio-system --from-file=<<ca-cert>> --from-file=<<sub-ca-cert>> @c0c0n3 can you double check that the problem is fixed.

c0c0n3 commented 1 year ago

still a problem actually...

c0c0n3 commented 1 year ago

@karikolehmainen finally solved. as of

we've got a cert in istio w/ the full ca chain.