Running into cert errors when deploying on AWS Fargate

broomhilda · June 9, 2023, 7:01pm

Hi, I am trying to deploy Keycloak in Fargate. I included a self signed cert and key for the keycloak server to use. It works when I deploy this on a barebones EC2 instance, but now when I deploy it on ECS. Here is the error that I run into:

Here is my Dockerfile:

FROM quay.io/keycloak/keycloak:latest as builder

USER root



# ENV KC_HTTP_RELATIVE_PATH=/auth
# ENV KC_CACHE_CONFIG_FILE=cache-ispn-jdbc-ping.xml
# # copy the custom cache config file into the keycloak conf dir
# COPY ./cache-ispn-jdbc-ping.xml /opt/keycloak/conf/cache-ispn-jdbc-ping.xml
WORKDIR /opt/keycloak

RUN /opt/keycloak/bin/kc.sh build

# RUN microdnf install -y python3 && microdnf clean all
# RUN curl -O https://bootstrap.pypa.io/pip/3.6/get-pip.py && python3 get-pip.py && pip install boto3

FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
RUN export XH_BINDIR=/usr/local/bin && curl -sfL https://raw.githubusercontent.com/ducaale/xh/master/install.sh | sh

#Python setup script
COPY setup.py /tmp/
COPY realm.json /tmp/

COPY mytruststore.jks /opt/keycloak/conf/truststore.jks
COPY mykeystore.jks /opt/keycloak/conf/keystore.jks
COPY keycloak.conf /opt/keycloak/conf/keycloak.conf
COPY certificate.crt /opt/keycloak/conf/certificate.crt
COPY private.key /opt/keycloak/conf/private.key

FROM quay.io/keycloak/keycloak:latest
# COPY --from=builder /opt/keycloak/ /opt/keycloak/
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
# COPY --from=builder certificate.crt /opt/keycloak/conf/certificate.crt
# COPY --from=builder private.key /opt/keycloak/conf/private.key


ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=scripts
# ENV KC_DB=postgres
# ENV KC_DB_URL={db_url}
# ENV KC_DB_USERNAME=admin
# ENV KC_DB_PASSWORD=admin
ENV KEYCLOAK_ADMIN=admin
ENV KEYCLOAK_ADMIN_PASSWORD=password
ENV KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/certificate.crt
ENV KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/private.key
#Entrypoint script
RUN /opt/keycloak/bin/kc.sh show-config
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start-dev"]

what am I doing wrong?? Please help

xgp · June 9, 2023, 8:04pm

I add this when I create custom docker images from the keycloak base image:

WORKDIR /opt/keycloak
# this cert shouldn't be used, as it's just to stop the startup from complaining
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore

broomhilda · June 12, 2023, 7:37pm

what do I do with my own certificates that were provided?

xgp · June 12, 2023, 7:43pm

I don’t understand the question. Certificates from where?

flythebluesky · June 13, 2023, 8:08pm

“what do I do with my own certificates that were provided?”

The Docker RUN command @xgp provided will generate a certificate, bundle it into a key store and save it to conf/server.keystore in the docker image. So you won’t need your self signed certificate. This certificate will handle the connection from the load balancer to the ECS task. Then, at the load balancer, you would need to use a proper trusted certificate and that would handle public https from the user to the load balancer.

Topic		Replies	Views
I need help while deploying keycloak:latest on AWS fargate Getting advice admin-console	15	1615	May 5, 2023
While running Keycloak on 443 port on AWS Fargate it is throwing permission denied error Configuring the server admin-console	9	2384	September 7, 2022
Having issues while setting up keycloak for production environment Configuring the server	0	395	February 19, 2023
Keycloak v21.0 is not work on AWS fargate with multiple tasks Configuring the server admin-console	0	121	March 29, 2023
Deploy Keycloak to AWS Getting advice	1	2174	November 17, 2020

Running into cert errors when deploying on AWS Fargate

Related Topics