This seems to be a bug in Keycloak. Keyloak doesn’t provide a certificate in response to a CertificateRequest, even though a certificate exists in the keystore that matches a certificate authorities in the Certificate Request. The same cert and key can be used with curl to successfully get a response from OpenLDAP. Any suggestions on how to get Keycloak to respond to CertificateRequest? Here’s my settings:
#host
cert_dir=“certs”
#keycloak
keycloak_version=12.0.4
keycloak_port=443
keycloak_admin_username=admin
keycloak_admin_password=password
keycloak_container_name=keycloak_test_00
#openldap
openldap_version=1.5.0
openldap_port=636
openldap_admin_password=password
openldap_container_name=openldap_test_00
docker run -p $keycloak_port:8443
–name $keycloak_container_name
–env DB_VENDOR=H2
–env DB_PASSWORD=password
–env KEYCLOAK_USER=$keycloak_admin_username
–env KEYCLOAK_PASSWORD=$keycloak_admin_password
–env KEYCLOAK_LOG_LEVEL=“TRACE”
–env JAVA_OPTS_APPEND="-Djavax.net.debug=all"
–env X509_CA_BUNDLE=/etc/x509/https/$hostname_short.ca.crt
-v $pwd/$cert_dir/$hostname_short.ca.crt:/etc/x509/https/$hostname_short.ca.crt
-v $pwd/$cert_dir/$hostname_short.crt:/etc/x509/https/tls.crt
-v $pwd/$cert_dir/$hostname_short.key:/etc/x509/https/tls.key
-detach
jboss/keycloak:$keycloak_version
docker run -p $openldap_port:636
–name $openldap_container_name
–hostname $hostname_fqdn
–env LDAP_DOMAIN="$domainname"
–env LDAP_ADMIN_PASSWORD="$openldap_admin_password"
–env LDAP_TLS_CRT_FILENAME=$hostname_short.crt
–env LDAP_TLS_KEY_FILENAME=$hostname_short.key
–env LDAP_TLS_CA_CRT_FILENAME=$hostname_short.ca.crt
–env LDAP_TLS_VERIFY_CLIENT=$tls_verify_client
-v $pwd/$cert_dir/:/container/service/slapd/assets/certs
-detach
osixia/openldap:$openldap_version
curl -s -k --verbose --key ./$cert_dir/$hostname_short.key --cert ./$cert_dir/$hostname_short.crt ldaps://$hostname_fqdn:$openldap_port
Logs:
KeyManagerImpl.java:164|found key for : keycloak-https-key (
05:34:39,887 ERROR [stderr] (MSC service thread 1-1) “certificate” : {
05:34:39,887 ERROR [stderr] (MSC service thread 1-1) “version” : “v1”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “serial number” : “01”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “signature algorithm”: “SHA256withRSA”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “issuer” : “CN=MYDOMAINHERE”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “not before” : “2021-03-06 05:33:16.000 GMT”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “not after” : “2022-03-06 05:33:16.000 GMT”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “subject” : “CN=MYDOMAINHERE”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “subject public key” : “RSA”}
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) )
05:35:29,483 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.483 GMT|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
05:35:29,483 ERROR [stderr] (default task-1) "CertificateRequest": {
05:35:29,483 ERROR [stderr] (default task-1) "certificate types": [rsa_sign, dss_sign, ecdsa_sign]
05:35:29,483 ERROR [stderr] (default task-1) "supported signature algorithms": [rsa_pkcs1_sha384, rsa_pss_pss_sha384, rsa_pss_rsae_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha512, rsa_pss_pss_sha512, rsa_pss_rsae_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha256, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256, ed25519]
05:35:29,483 ERROR [stderr] (default task-1) "certificate authorities": [CN=MYDOMAINHERE]
05:35:29,483 ERROR [stderr] (default task-1) }
05:35:29,483 ERROR [stderr] (default task-1) )
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.483 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.484 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.484 GMT|X509Authentication.java:244|No X.509 cert selected for RSASSA-PSS
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.484 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_pss_sha384
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.484 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.484 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha384
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.485 GMT|X509Authentication.java:244|No X.509 cert selected for EC
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.485 GMT|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.485 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.485 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.485 GMT|X509Authentication.java:244|No X.509 cert selected for RSASSA-PSS
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.485 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_pss_sha512
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.486 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha512
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for EC
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.486 GMT|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.486 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for RSASSA-PSS
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.487 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_pss_sha256
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.487 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.487 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha256
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.487 GMT|X509Authentication.java:244|No X.509 cert selected for EC
05:35:29,488 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.487 GMT|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
05:35:29,488 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.488 GMT|CertificateRequest.java:744|Unable to produce CertificateVerify for signature scheme: ed25519
05:35:29,488 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.488 GMT|CertificateRequest.java:775|No available authentication scheme
05:35:29,497 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.497 GMT|SSLSocketInputRecord.java:488|Raw read (
05:35:29,497 ERROR [stderr] (default task-1) 0000: 16 03 03 00 04 .....
05:35:29,497 ERROR [stderr] (default task-1) )
05:35:29,497 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.497 GMT|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 4
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|SSLSocketInputRecord.java:488|Raw read (
05:35:29,498 ERROR [stderr] (default task-1) 0000: 0E 00 00 00 ....
05:35:29,498 ERROR [stderr] (default task-1) )
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 4
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
05:35:29,498 ERROR [stderr] (default task-1) <empty>
05:35:29,498 ERROR [stderr] (default task-1) )
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
05:35:29,499 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.499 GMT|CertificateMessage.java:330|Produced client Certificate handshake message (
05:35:29,499 ERROR [stderr] (default task-1) "Certificates": <empty list>
05:35:29,499 ERROR [stderr] (default task-1) )