search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.37k stars 6.76k forks source link

Certificates do not conform to algorithm constraints #30164

Open souravkm777 opened 5 months ago

souravkm777 commented 5 months ago

Before reporting an issue

Area

core

Describe the bug

Microsoft Azure has updated Azure Database for PostgreSQL Flexible Server to use TLS certificates from Digicert Global Root CA to Microsoft RSA Root Certificate Authority 2017 image

We have recently restarted our Keycloak in Dev environment and after that it fails to start. The keycloak is running as a Pod on Azure kubernetes services. Below is the error log:

ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: SSL error: Certificates do not conform to algorithm constraints ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Algorithm constraints check failed on signature algorithm: SHA1withRSA

We suspect this started after the change from Microsoft and not sure how to fix that ourselves. Although the possible solution could be to add the new CA root to Keycloak's trusted root but need help with that.

Version

23.0.4.0

Regression

Expected behavior

Keycloak pod should start normally after a resatrt

Actual behavior

CrashLoopBackOff with error mentioned above

How to Reproduce?

Everytime we restart we get the same error message for issue with connecting to the Postgresql flexible server.

Anything else?

N/A

souravkm777 commented 5 months ago

Is there a way to allow Keycloak trust new CA provided by Microsoft?

souravkm777 commented 5 months ago

Can you confirm if Keycloak uses certificate pinning while connecting to databases?

souravkm777 commented 4 months ago

We have updated Keycloak to version 24.0.5.0 but still has the same issue. The POD is not coming up so we are not able to update Java config. All other applications run fine after Microsoft has added the new root CA in Postgresql flexible offering and only Keycloak fails to connect. Really need help in getting this fixed.

shawkins commented 4 months ago

SHA1withRSA is likely no longer supported by default with Java 17. You can check the /etc/crypto-policies/back-ends/java.config - it should mention SHA1 as a disabled algorithm. You may need to custom image with a modified /etc/crypto-policies/back-ends/java.config file to support a legacy cert.

souravkm777 commented 4 months ago

Just to add more context: Keycloak was running fine with Azure Postgresql Flexible server(with SHA1 Digicert CA) until Microsoft updated the Postgresql flexible offerings with Microsoft CA (SHA384). Since the Pod doesnot come up we are not able to change the JAVA config for Keycloak.

shawkins commented 4 months ago

~priority-low

keycloak-github-bot[bot] commented 4 months ago

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a :thumbsup: to the description. We would also welcome a contribution to fix the issue.

raman-khrapavitski commented 3 months ago

Are there some workarounds? I have tried this guige, by adding ssl-mode and ssl-ca to my values file, but shill get this error. (Keycloak version 21.1.2) name: KC_DB_URL_PROPERTIES value: ?useSSL=true&serverTimezone=GMT&ssl-mode=REQUIRED&ssl-ca=/opt/keycloak/cert/DigiCertGlobalRootCA.crt.pem

souravkm777 commented 3 months ago

@raman-khrapavitski : We tried the same earlier but that did not work. We created a new instance of postgresql flexible server in Azure which comes with SHA2 certificate and our issue was resolved.

jord1e commented 3 months ago

@raman-khrapavitski : We tried the same earlier but that did not work. We created a new instance of postgresql flexible server in Azure which comes with SHA2 certificate and our issue was resolved.

Thank you, this led me to a temporary solution.

See also https://github.com/Azure/azure-postgresql/issues/112

A bit of a bitter pill to swallow, but I circumvented creating a new instance by just enabling SHA1 again for now:

FROM quay.io/keycloak/keycloak:25.0.2

COPY --chown=keycloak:keycloak --from=builder /opt/keycloak/ /opt/keycloak/

# https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl
# https://github.com/keycloak/keycloak/issues/17606#issuecomment-1631115584
COPY --from=digicert /app/DigiCertGlobalRootCA.crt.pem /opt/keycloak/.postgresql/root.crt

# Our instance of PostgreSQL only has SHA1 certificates (for now)
# See https://github.com/keycloak/keycloak/issues/30164#issuecomment-2260625118
USER root
RUN ["sed", "-i", "s/SHA1, //g", "/usr/share/crypto-policies/DEFAULT/java.txt"]
# https://github.com/keycloak/keycloak/blob/36a141007ec12156c70ee00a55958114e60dd4f6/quarkus/container/Dockerfile#L34
USER 1000

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

Also

ENV KC_DB_URL_PROPERTIES="?sslmode=verify-full"

When building the custom image, as referenced by the linked MS docs

Note that the reference to DigiCertGlobalRootCA.crt.pem comes from https://github.com/keycloak/keycloak/issues/17606#issuecomment-1631115584. It might also help some people.

NicSalmonFR commented 3 months ago

@souravkm777 could you please inform us which SHA2 certificate you got? I assume that uploading this cert would probably be sufficient to resolve the issue.