gpt4 book ai didi

docker - Keycloak SSL 更新 certbot 证书

转载 作者:行者123 更新时间:2023-12-04 22:37:08 25 4
gpt4 key购买 nike

我有一个使用 certbot 创建的证书的 keycloak (docker) SSL 系统,但是在更新证书时,keycloak 实例仍然显示无效的过期证书。
我已经使用 openssl 检查了我创建的证书是否有效并且位于/etc/x509/https 文件夹中。文件的权限很好。
我什至尝试了以下方法,但没有任何东西迫使它获取新证书

  • 重启keycloak
  • 登录到 keycloak docker 实例并运行/opt/jboss/tools/x509.sh - 它说它重新生成了一组新文件,但日期戳似乎暗示它仍然是旧的 .jks 和 .pk12
  • 将这些文件从/opt/jboss/keycloak/standalone/configuration/keystores 移动到一个新的临时文件夹并再次运行 x509.sh 并创建了两个新文件。我重新启动了 docker 实例 - 但它仍然显示旧证书日期

  • 任何人都知道为什么旧证书没有被刷新?我相信这是一个 key 斗篷问题,而不是 certbot。
    任何帮助,将不胜感激。

    最佳答案

    最简单的解决方案是丢弃容器,但这并不总是可取的。但是,还有另一种方法。
    AFAIK,x509.sh 应该在每个容器生命周期中只运行一次。你可以看看docker-entrypoint.sh在存储库上验证 x509.sh 是否仅在容器初始化时运行,并且不再运行。在以前版本的 docker-entrypoint.sh 中,每次启动时都会运行 x509.sh,但尽管它正在打印消息,但它什么也没做。
    当前x509.sh版本正在实现以下步骤:

  • 生成随 secret 码:
    local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
  • 使用 openssl 创建 PKCS12 keystore :
    openssl pkcs12 -export \
    -name "${NAME}" \
    -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
    -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
    -out "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
    -password pass:"${PASSWORD}" >& /dev/null
  • 使用 keytool 从 PKCS12 创建一个 JKS keystore :
    keytool -importkeystore -noprompt \
    -srcalias "${NAME}" -destalias "${NAME}" \
    -srckeystore "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
    -srcstoretype pkcs12 \
    -destkeystore "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" \
    -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}" >& /dev/null
  • 为 Keycloak 配置 JKS keystore :
    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null

  • 如果您修改 x509.sh 并删除对/dev/null 的所有重定向,您应该会看到如下内容:
    Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..
    Importing keystore /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.pk12 to /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks...
    keytool error: java.io.IOException: keystore password was incorrect
    HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks
    {
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"elytron\"),
    (\"key-store\" => \"kcKeyStore\")
    ]",
    "rolled-back" => true
    }
    {
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"elytron\"),
    (\"key-store\" => \"kcKeyStore\")
    ]",
    "rolled-back" => true
    }
    使用 jboss-cli.sh 修改 Keycloak 配置失败。如果您只是删除 keystore 并运行 x509.sh,则随机生成的新密码将与 Keycloak 配置文件中的密码不同。由于 x509-keystore.cli 试图添加参数,而不是更新它们, keystore 中的密码和配置中的密码将不匹配。
    这是 x509.sh 的替代版本,仅用于更新,其关键点如下所示:
  • 从 Keycloak 配置中提取当前使用的密码:
    local PASSWORD=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="credential-reference")' |sed -rn 's;.+"result" *: *\{"clear-text" *: *"([^"]+)".*;\1;p')
  • 从 Keycloak 配置中提取 JKS keystore 路径:
    local JKS_KEYSTORE_PATH=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="path")' |sed -rn 's;.+"result" *: *"([^"]+https[^"]+)".*;\1;p')
  • 假设 PKCS12 keystore 只是其扩展名不同:
    local PKCS12_KEYSTORE_PATH=${JKS_KEYSTORE_PATH%.*}.pk12
  • 既然您知道密码和 keystore 路径,请更新 PKCS12 keystore :
    openssl pkcs12 -export \
    -name "${NAME}" \
    -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
    -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
    -out "${PKCS12_KEYSTORE_PATH}" \
    -password pass:"${PASSWORD}"
  • 最后更新 JKS 之一:
    keytool -importkeystore -noprompt \
    -srcalias "${NAME}" -destalias "${NAME}" \
    -srckeystore "${PKCS12_KEYSTORE_PATH}" \
    -srcstoretype pkcs12 \
    -destkeystore "${JKS_KEYSTORE_PATH}" \
    -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}"

  • 完整脚本:
      function check_var() {
    local name=$1
    local value=$2

    if [ -z "$value" ]; then
    echo "$name is not defined."
    exit 1
    fi
    }

    function autoregenerate_keystore() {
    # Keystore infix notation as used in templates to keystore name mapping
    declare -A KEYSTORES=( ["https"]="HTTPS" )

    local KEYSTORE_TYPE=$1
    check_var "KEYSTORE_TYPE" $KEYSTORE_TYPE

    # reading password from configuration
    local PASSWORD=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="credential-reference")' |sed -rn 's;.+"result" *: *\{"clear-text" *: *"([^"]+)".*;\1;p')
    check_var "PASSWORD" $PASSWORD

    # reading jks keystore path from configuration
    local JKS_KEYSTORE_PATH=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="path")' |sed -rn 's;.+"result" *: *"([^"]+'$KEYSTORE_TYPE'[^"]+)".*;\1;p')
    check_var "JKS_KEYSTORE_PATH" $JKS_KEYSTORE_PATH

    if [ ! -f "${JKS_KEYSTORE_PATH}" ]; then
    echo "JKS keystore file does not exist!"
    exit 1
    fi

    # supposing that keystores were generated by x509.sh, hence pk12 keystore is in the same location.
    local PKCS12_KEYSTORE_PATH=${JKS_KEYSTORE_PATH%.*}.pk12

    if [ ! -f "${PKCS12_KEYSTORE_PATH}" ]; then
    echo "PKCS12 keystore file does not exist!"
    exit 1
    fi

    local X509_KEYSTORE_DIR="/etc/x509/${KEYSTORE_TYPE}"
    local X509_CRT="tls.crt"
    local X509_KEY="tls.key"

    local NAME="keycloak-${KEYSTORE_TYPE}-key"

    if [ ! -f "${X509_KEYSTORE_DIR}/${X509_KEY}" ] || [ ! -f "${X509_KEYSTORE_DIR}/${X509_CRT}" ]; then
    echo "X509 files does not exist!"
    exit 1
    fi

    echo "Renewing ${KEYSTORES[$KEYSTORE_TYPE]} keystore via OpenShift's service serving x509 certificate secrets.."

    openssl pkcs12 -export \
    -name "${NAME}" \
    -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
    -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
    -out "${PKCS12_KEYSTORE_PATH}" \
    -password pass:"${PASSWORD}"

    keytool -importkeystore -noprompt \
    -srcalias "${NAME}" -destalias "${NAME}" \
    -srckeystore "${PKCS12_KEYSTORE_PATH}" \
    -srcstoretype pkcs12 \
    -destkeystore "${JKS_KEYSTORE_PATH}" \
    -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}"
    }

    autoregenerate_keystore "https"
    例如,将其命名为 x509-renewal.sh 并将其复制到您的容器中:
    $ docker cp x509-renewal.sh my-keycloak-container:/opt/jboss/tools/
    然后运行它:
    $ docker exec my-keycloak-container /opt/jboss/tools/x509-renewal.sh

    Renewing HTTPS keystore via OpenShift's service serving x509 certificate secrets..
    Importing keystore /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.pk12 to /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks...
    Warning: Overwriting existing alias keycloak-https-key in destination keystore

    关于docker - Keycloak SSL 更新 certbot 证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64198340/

    25 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com