Certificates do not conform to algorithm constraints

souravkm777 commented 1 month ago

Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

Microsoft Azure has updated Azure Database for PostgreSQL Flexible Server to use TLS certificates from Digicert Global Root CA to Microsoft RSA Root Certificate Authority 2017

We have recently restarted our Keycloak in Dev environment and after that it fails to start. The keycloak is running as a Pod on Azure kubernetes services. Below is the error log:

ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: SSL error: Certificates do not conform to algorithm constraints ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Algorithm constraints check failed on signature algorithm: SHA1withRSA

We suspect this started after the change from Microsoft and not sure how to fix that ourselves. Although the possible solution could be to add the new CA root to Keycloak's trusted root but need help with that.

Version

23.0.4.0

Regression

[ ] The issue is a regression

Expected behavior

Keycloak pod should start normally after a resatrt

Actual behavior

CrashLoopBackOff with error mentioned above

How to Reproduce?

Everytime we restart we get the same error message for issue with connecting to the Postgresql flexible server.

Anything else?

N/A

souravkm777 commented 4 weeks ago

Is there a way to allow Keycloak trust new CA provided by Microsoft?

souravkm777 commented 4 weeks ago

Can you confirm if Keycloak uses certificate pinning while connecting to databases?

souravkm777 commented 3 weeks ago

We have updated Keycloak to version 24.0.5.0 but still has the same issue. The POD is not coming up so we are not able to update Java config. All other applications run fine after Microsoft has added the new root CA in Postgresql flexible offering and only Keycloak fails to connect. Really need help in getting this fixed.

shawkins commented 3 weeks ago

SHA1withRSA is likely no longer supported by default with Java 17. You can check the /etc/crypto-policies/back-ends/java.config - it should mention SHA1 as a disabled algorithm. You may need to custom image with a modified /etc/crypto-policies/back-ends/java.config file to support a legacy cert.

souravkm777 commented 3 weeks ago

Just to add more context: Keycloak was running fine with Azure Postgresql Flexible server(with SHA1 Digicert CA) until Microsoft updated the Postgresql flexible offerings with Microsoft CA (SHA384). Since the Pod doesnot come up we are not able to change the JAVA config for Keycloak.

shawkins commented 2 weeks ago

~priority-low

keycloak-github-bot[bot] commented 2 weeks ago

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a :thumbsup: to the description. We would also welcome a contribution to fix the issue.

keycloak / keycloak