Failing to setup CRL checking in Keycloak 9.0.2

Hi,

We are struggling to setup proper X509 authentication.

Context : we have a cluster of rhsso 7.4/KC 9.0.2 nodes configured trough a domain controller, with a nginx RP for load balancing in front.
We successfully did setup x509 authentication after establishing mTLS and forwarding client certificiates trough nginx. Problem : we fail to check CRLs. More specifically, if we enable CRL checking, we successfully rejet revoked certificate, but we also fail to authenticate valid certificates (cf logs below). The behavior is the following : the certificate is successfully forwarded to keycloak, who process it endlessly until timeout.
Suspecting too large CRLs, we tried to use one only, which didn’t change the behavior.
If anyone has a solution we’d be so thankful, otherwise we’ll open a ticket to RedHat.

Keycloak config :

The log message we get after successfully rejecting a revoked certificate :

C=FR,O=foo,OU=0002 110090016,SURNAME=TEST-PRA,GIVENNAME=Test-nominal-un,CN=test-nominal-un.test-pra: java.security.GeneralSecurityException: Certificate has been revoked, certificate's subject: C=FR,O=foo,OU=0002 110090016,SURNAME=TEST-PRA,GIVENNAME=Test-nominal-un,CN=test-nominal-un.test-pra

The logs we get after timeout after we fail to authenticate a user using valid certificate (we remove the certificate, otherwise it just loops from one node to another according to nginx timeout rules).


> 2022-10-07 12:29:06,133 DEBUG [org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup] (default task-311) Found a valid x.509 certificate in "ssl-client-cert" HTTP header
> 2022-10-07 12:29:06,133 DEBUG [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (default task-311) End user certificate found : Subject <DN>
> 2022-10-07 12:29:06,135 DEBUG [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (default task-311) Certification path building OK, and contains 2 X509 Certificates 
> 2022-10-07 12:29:06,135 DEBUG [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (default task-311) Rebuilded user cert chain DN :<DN>
> 2022-10-07 12:29:06,135 DEBUG [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (default task-311) Rebuilded user cert chain DN : <INTERMEDIATE AC DN>
> 2022-10-07 12:29:46,154 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffdd0bd8bf:-bcff59c:633ab1a7:3e874 in state RUN
> 2022-10-07 12:29:46,156 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort of action id 0:ffffdd0bd8bf:-bcff59c:633ab1a7:3e874 invoked while multiple threads active within it.
> 2022-10-07 12:29:46,158 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381: Action id 0:ffffdd0bd8bf:-bcff59c:633ab1a7:3e874 completed with multiple threads - thread default task-303 was in progress with org.keycloak.utils.CRLUtils.findCRLSignatureCertificateInTruststore(CRLUtils.java:195)

Hi - Were you able to find a resolution? Seeing similar symptoms on my end.