Add Letsencrypt Certificate to Keycloak Trusted Certificates - docker

We have the following setup:
A Keycloak Server on a VM installed as a docker container.
Server certificate via Lets Encrypt.
Two realms a and b.
Realm b is integrated into Realm a as an identity provider.
To achieve that it works, we had to import the certificate of the Keycloak server into the java trusted store. Now the login works and we can choose in realm a if we want to login with realm b. Unfortunately the process of importing the certificate comes with lots of manual effort (copy the certificate into the container, divide the chain into several files with only one certificate, call a function) and the certificates are just valid for 90 days. Of course we can automate this but the question is, is there an "official way" of doing this? Like mounting the Lets Encrypt certificate folder into the container and "done"? We are using the official jboss/keycloak container image.

The docker container should support this by setting the X509_CA_BUNDLE variable accordingly. See the docs here.
This creates the truststore for you and configures it in Wildfly. Details can be found in this and that script.

Related

Cert manager issuing certs for Strimzi kafka deployment

I am working on strimzi kafka.I want to deploy kafka with self signed certs issued by certmanager instead of strimzi operator/kafka provided selfsigned certs.
I have gone through the strizmi documentation but I didn't find solution to integrate cert manger with strimzi kafka/operator.
When we deploy kafka we can see many secrets(with certs) are being created in the namespace.If I want all those secrets/certs issued by certs manager to work with kafka how I can do it.
Thank you !!
You can use Cert Manager to provide a listener certificate s described in this blog post. But there is currently no easy way to use it for the internal CAs. You can follow this proposal which might make it possible in the future.

SSL local/remote Cert for DotNetCore API

I'm a newbie when it comes to certificates.
I'm building a Linux docker image with a Dot Net Core REST WebAPI app that will host the backend for a game. I plan to host this backend on Azure using a Container Instance.
I'd like all communication to be via SSL. I've created a self-signed cert for local communication from my Windows machine to the container. Once I registered it in my hosts file, the self-signed cert is working fine locally.
Now I'm ready to host on Azure. I'm prepared to obtain a CA cert, but am trying to work out how to maintain local access w/o cert errors as well as public access w/o cert errors without modifying the container between my local/debug sessions and the production/remote sessions. I'd prefer to have a single certificate, if possible.
Can anyone give me guidance on how to setup a cert for this situation? Seems like a common need, but I'm not finding resources to walk me through it. Thanks!

How to generate certs for secured connection from Celery to Redis

I'm following this tutorial, and adjusting the Celery-background related code to my project.
In my case I am operating in a Docker environment, and I have a secured site (i.e. https://localhost) which requires secured ssl communication.
The documentation in here shows an example on how to provide cert related files (keyfile, certfile, ca_certs).
But it is not clear to me how to create these files in the first place.
The tutorial in here shows how to create a custom certificate authority, and how to sign a certificate with it.
I followed the steps and created the 3 files:
keyfile - dev.mergebot.com.crt - the signed certificate (signed by myCA.pem)
ca_certs - dev.mergebot.com.key - private key to create a signed cert with "self-trusted CA"
certfile - myCA.pem - "self-trusted CA" certificate (filename in the tutorial: myCA.pem)
Note that I created these 3 files completely unrelated to Celery or Redis or Docker.
They were created in my local machine outside Docker. The files don't have the name of the Redis container and the Common Name in the cert was set to "foo"
When I use these files in my webapp, there is no connection from Celery to Redis.
Without ssl I do get a connection, so the overall environment aside from ssl is OK - see here
Is there any specific requirements to create the cert related files? (e.g. should the Common Name in the cert have the container name "redis", etc... )
Is there a way to test the validity of the certs without the app, e.g. by issuing a command from the container shell?
Thanks
I was able to generate the cert related files (keyfile, certfile, ca_certs) using the tutorial in here
I first tested that I can connect from my localhost to the "redis with ssl" docker container.
and I described the details here
Then I tested that I can connect from Celery docker container to the "redis with ssl" docker container
and I described the details here
Yes the certificate comman name should match the host name also the issuer of the certificate should be trusted by the client .
In your case since you are using a custom CA and generating the certs , the public cert of the CA should be in the trusted root of the client .
Additionally the certificate should be issued to the hostname in your case it will be localhost . Please do note that if you access the site from a remote machine by either using the fqdn or the Up the browser will flag an alert as invalid.
Also to verify the certificates , you can use the OpenSSL Verify option.

Trusting a certificate signed by a local CA from an AspNetCore-Api inside docker

I have the following scenario:
I want to run three services (intranet only) in windows docker containers on a windows host
an IdentityServer4
an Api (which uses the IdSvr for authorization)
a Webclient (which uses the api as Datalayer and the IdSvr for authorization)
All three services are running with asp.netcore 2.1 (with microsoft/dotnet:2.1-aspnetcore-runtime as base) and using certificates signed by a local CA.
The problem I'm facing now is that i cannot get the api or the webclient into trusting these certificates.
E.g. if I call the api the authentication-middleware tries to call the IdSvr but gets an error on GET '~/.well-known/openid-configuration' because of an untrusted ssl certificate.
Is there any way to get the services into trusting every certificate issued by the local CA? I've already tried this way but either I'm doing it wrong or it just doesn't work out.
Imho a docker container must have its own CertStore otherwise none trusted https connection would be possible. So my idea is to get the root certificate from the docker hosts CertStore (which trusts the CA) into the container but I don't know how to achieve this.

How to properly set up HTTPS for OnlyOffice

Following OnlyOffice's help center's instructions leads to the creation of security certificate declared as invalid by browsers, as it is self-signed.
The intention is to use OnlyOffice's server on Docker for NextCloud, which runs properly already on another server.
Currently, the certificates have been created in the directory suggested by the instructions:
/app/onlyoffice/DocumentServer/data/certs# ls
dhparam.pem onlyoffice.crt onlyoffice.csr onlyoffice.key
I have followed all the given steps, and it does not work.
Is there a way to use LetsEncrypt instead of self-signed certificates?
I am not an IT management person, I am a simple developer trying to use OSS to not use Google Docs etc. Take this into consideration when providing guidance, as what you may take for granted, I may not.
The problem that you are having is that a self-signed certificate is not trusted by anyone (anything).
You can create your own certificate using Let's Encrypt. You will either need to create a special file on your server or create a TXT record on your domain's DNS server.
Certbot Download
The following is for Linux. If you are running on Windows, try using ManuaLE (more info below)
Go to let's encrypt and download certbot. Then from the command line:
certbot certonly --manual --preferred-challenges dns -d mydomain.com
This command will prompt you to create a TXT record on your DNS server. After creating the record wait a few minutes before pressing ENTER to continue.
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Instructions for ManuaLE for Windows.
ManuaLE Download
manuale authorize mydomain.com
manuale issue mydomain.com
After your SSL certificate is created, copy and rename them to your desired location listed in your question.
Please restart the container, the DocumentServer will switch to https config.
Open the address of the DocumentServer in your browser. If that is available, it can be connected to your NextCloud instance.

Resources