I’ve been using keycloak for about a year to secure access to 2 separate web applications.
With one app, I’m using OpenID Connect proxy authentication to put the app behind authentication.
This has worked well for around one year. Since 7 days, whenever I want to access this app, I’m just getting a blank webpage stating
There was an error while logging in: accessing discovery url (https://example.com/auth/realms/xxxx/.well-known/openid-configuration) failed: 10: certificate has expired.
Whenever I got to the dicovery url, the site appears secure from within firefox.
I’m not exactly sure what’s causing this issue.
Keycloak is run in docker, behind (dockerized) nginx with lets encrypt taking care of the certificates incl renewal.
The oidc proxy is also run behind that reverse proxy.
The only error message that I see within keycloak is the following:
WARN [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY00023: KeyStore file ‘/opt/jboss/keycloak/standalone/configuration/application.keystore’ does not exist. Used blank.
and
WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost
While I had not shared any LE certs with the ‘/etc/x509/https’ container path previously, I have now even tried that. tls.crt and tls.key are both visible inside the container, but still without success.
Do I somehow force the keystore generation manually?
Any ideas on what I could try / what’s causing the error would really help me a lot!
(Currently, all users are locked out from using our app.)
The oidc proxy, I think. The oauth-proxy does backchannel SSL-queries to keycloak which it is not able to validate. If firefox has no problems, but backchannel scripts have problems, this often lies in certificates which are delivered without the full signing chain.
You need to bump all version in the Dockerfile for the resty image at least ( the base image is 3 years old and probably the additional libs also could use a bump.
( Side note: for anything security related you should always follow the latest upstream version as close as possible anyway.)