Hi,
I’m trying to configure Keycloak to use SSL Client Authentication when a client logs in using a Direct Access Grant. I’m running Keycloak behind an NGINX proxy. I think I have everything set up correctly, but when I try to get a token with the client cert, it fails and Keycloak prints the following error in the logs:
keycloak_1 | 2022-03-20 18:43:22,157 WARN [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (executor-thread-0) Keycloak Tr
uststore is null or empty, but it's required for NGINX x509cert-lookup provider
keycloak_1 | 2022-03-20 18:43:22,157 WARN [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (executor-thread-0) see Keyc
loak documentation here : https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
Any advice? I’ve run out of new things to try…
Here’s more info on my setup:
I’m running Keycloak in a container. The relevant parts of the Dockerfile (including the kc.sh build call) are:
FROM quay.io/keycloak/keycloak:17.0.0
WORKDIR /opt/keycloak
RUN ./bin/kc.sh build \
--spi-x509cert-lookup-provider=nginx \
--features docker \
--db=postgres
I’m launching Keycloak using docker-compose. The relevant piece of the compose file is:
services:
keycloak:
build:
context: .
dockerfile: Dockerfile
image: secret-keycloak:17.0.0
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=supersecret
network_mode: "host"
volumes:
- $PWD/truststore.jks:/opt/keycloak/truststore.jks
command: >
start --db-password=also-super-secret \
--db-username=postgres \
--hostname=test.internal.domain.net:8443 \
--https-client-auth=request \
--https-trust-store-file=/opt/keycloak/truststore.jks \
--https-trust-store-password=password \
--spi-x509cert-lookup-nginx-ssl-client-cert=SSL-Client-Cert \
--proxy=edge
truststore.jks was built using the following command:
keytool -import -alias root -keystore truststore.jks -file ca.pem
Where ca.pem is coming from cfssl.
Thanks!