Fatal编程技术网
  • docker/
  • Docker 密钥斗篷SSL续订certbot证书

Docker 密钥斗篷SSL续订certbot证书

docker ssl keycloak

Docker 密钥斗篷SSL续订certbot证书,docker,ssl,keycloak,keycloak-services,Docker,Ssl,Keycloak,Keycloak Services,我有一个使用certbot创建的证书的KeyClope(docker)SSL系统,但是在续订证书时,KeyClope实例仍然显示无效的过期证书。 我已经使用openssl检查了我创建的证书是否有效,并且在/etc/x509/https文件夹中。对文件的权限没有问题。 我甚至尝试了以下操作,但没有强迫它获取新证书 重新启动钥匙斗篷 登录keydepot docker实例并运行/opt/jboss/tools/x509.sh——它说它重新生成了一组新的文件,但日期戳似乎暗示它仍然是旧的.jks和.p

我有一个使用certbot创建的证书的KeyClope(docker)SSL系统,但是在续订证书时,KeyClope实例仍然显示无效的过期证书。 我已经使用openssl检查了我创建的证书是否有效,并且在/etc/x509/https文件夹中。对文件的权限没有问题。 我甚至尝试了以下操作,但没有强迫它获取新证书

  • 重新启动钥匙斗篷
  • 登录keydepot docker实例并运行/opt/jboss/tools/x509.sh——它说它重新生成了一组新的文件,但日期戳似乎暗示它仍然是旧的.jks和.pk12
  • 将这些文件从/opt/jboss/keydove/standalone/configuration/keystores移动到一个新的临时文件夹中,并再次运行x509.sh,创建了两个新文件。我重新启动了docker实例,但它仍然显示旧的证书日期
    • 有人知道为什么旧证书没有被刷新吗?我相信这是一个钥匙斗篷问题,而不是certbot。
    任何帮助都将不胜感激。

    最简单的解决方案是放下容器,但这并不总是可取的。然而,还有另一种方法

    AFAIK,x509.sh应在每个容器寿命内仅运行一次。您可以查看存储库,验证x509.sh是否只在容器初始化时运行,而不再运行。在docker-entrypoint.sh的早期版本中,x509.sh在每次启动时都会运行,但尽管打印了消息,它却什么也没做

    当前版本正在实现以下步骤:

    • 生成随机密码:

      local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
    • 使用openssl创建PKCS12密钥库:

      openssl pkcs12 -export \
-name "${NAME}" \
-inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
-in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
-out "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
-password pass:"${PASSWORD}" >& /dev/null
    • 使用keytool从PKCS12创建JKS密钥库:

      keytool -importkeystore -noprompt \
-srcalias "${NAME}" -destalias "${NAME}" \
-srckeystore "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
-srcstoretype pkcs12 \
-destkeystore "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" \
-storepass "${PASSWORD}" -srcstorepass "${PASSWORD}" >& /dev/null
    • 为KeyClope配置JKS密钥库:

      $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null
    如果修改x509.sh并删除对/dev/null的所有重定向,您应该会看到如下内容:

    Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..
Importing keystore /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.pk12 to /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"elytron\"),
    (\"key-store\" => \"kcKeyStore\")
]",
    "rolled-back" => true
}
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"elytron\"),
    (\"key-store\" => \"kcKeyStore\")
]",
    "rolled-back" => true
}
    无法使用jboss-cli.sh修改keydepot配置。如果您只是删除密钥库并运行x509.sh,则随机生成的新密码将不同于KeyClope配置文件中的密码。由于x509-keystore.cli正在尝试添加参数,而不是更新参数,因此keystore中的密码和配置中的密码将不匹配

    以下是仅用于更新的x509.sh的替代版本,其要点如下所示:

    • 从KeyClope配置中提取当前使用的密码:

      local PASSWORD=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="credential-reference")' |sed -rn 's;.+"result" *: *\{"clear-text" *: *"([^"]+)".*;\1;p')

      local JKS_KEYSTORE_PATH=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="path")' |sed -rn 's;.+"result" *: *"([^"]+https[^"]+)".*;\1;p')
    • 从KeyClope配置中提取JKS密钥库路径:

      local PASSWORD=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="credential-reference")' |sed -rn 's;.+"result" *: *\{"clear-text" *: *"([^"]+)".*;\1;p')

      local JKS_KEYSTORE_PATH=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="path")' |sed -rn 's;.+"result" *: *"([^"]+https[^"]+)".*;\1;p')
    • 假设PKCS12密钥库的扩展不同:

      local PKCS12_KEYSTORE_PATH=${JKS_KEYSTORE_PATH%.*}.pk12
    • 现在您已经知道密码和密钥库路径,请更新PKCS12密钥库:

      openssl pkcs12 -export \
-name "${NAME}" \
-inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
-in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
-out "${PKCS12_KEYSTORE_PATH}" \
-password pass:"${PASSWORD}"
    • 最后更新JKS-one:

      keytool -importkeystore -noprompt \
-srcalias "${NAME}" -destalias "${NAME}" \
-srckeystore "${PKCS12_KEYSTORE_PATH}" \
-srcstoretype pkcs12 \
-destkeystore "${JKS_KEYSTORE_PATH}" \
-storepass "${PASSWORD}" -srcstorepass "${PASSWORD}"
    完整脚本:

      function check_var() {
    local name=$1
    local value=$2
  
    if [ -z "$value" ]; then
      echo "$name is not defined."
      exit 1
    fi
  }
  
  function autoregenerate_keystore() {
    # Keystore infix notation as used in templates to keystore name mapping
    declare -A KEYSTORES=( ["https"]="HTTPS" )
  
    local KEYSTORE_TYPE=$1
    check_var "KEYSTORE_TYPE" $KEYSTORE_TYPE
  
    # reading password from configuration
    local PASSWORD=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="credential-reference")' |sed -rn 's;.+"result" *: *\{"clear-text" *: *"([^"]+)".*;\1;p')
    check_var "PASSWORD" $PASSWORD
  
    # reading jks keystore path from configuration
    local JKS_KEYSTORE_PATH=$(/opt/jboss/keycloak/bin/jboss-cli.sh --connect --output-json '/subsystem=elytron/key-store=kcKeyStore:read-attribute(name="path")' |sed -rn 's;.+"result" *: *"([^"]+'$KEYSTORE_TYPE'[^"]+)".*;\1;p')
    check_var "JKS_KEYSTORE_PATH" $JKS_KEYSTORE_PATH
  
    if [ ! -f "${JKS_KEYSTORE_PATH}" ]; then
      echo "JKS keystore file does not exist!"
      exit 1
    fi
  
    # supposing that keystores were generated by x509.sh, hence pk12 keystore is in the same location.
    local PKCS12_KEYSTORE_PATH=${JKS_KEYSTORE_PATH%.*}.pk12
  
    if [ ! -f "${PKCS12_KEYSTORE_PATH}" ]; then
      echo "PKCS12 keystore file does not exist!"
      exit 1
    fi
  
    local X509_KEYSTORE_DIR="/etc/x509/${KEYSTORE_TYPE}"
    local X509_CRT="tls.crt"
    local X509_KEY="tls.key"
  
    local NAME="keycloak-${KEYSTORE_TYPE}-key"
  
    if [ ! -f "${X509_KEYSTORE_DIR}/${X509_KEY}" ] || [ ! -f "${X509_KEYSTORE_DIR}/${X509_CRT}" ]; then
      echo "X509 files does not exist!"
      exit 1
    fi
  
    echo "Renewing ${KEYSTORES[$KEYSTORE_TYPE]} keystore via OpenShift's service serving x509 certificate secrets.."
  
    openssl pkcs12 -export \
    -name "${NAME}" \
    -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
    -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
    -out "${PKCS12_KEYSTORE_PATH}" \
    -password pass:"${PASSWORD}"
  
    keytool -importkeystore -noprompt \
    -srcalias "${NAME}" -destalias "${NAME}" \
    -srckeystore "${PKCS12_KEYSTORE_PATH}" \
    -srcstoretype pkcs12 \
    -destkeystore "${JKS_KEYSTORE_PATH}" \
    -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}"
  }
  
  autoregenerate_keystore "https"
    例如,将其命名为x509-renewal.sh,并将其复制到您的容器中:

    $ docker cp x509-renewal.sh my-keycloak-container:/opt/jboss/tools/
    然后运行它:

    $ docker exec my-keycloak-container /opt/jboss/tools/x509-renewal.sh

Renewing HTTPS keystore via OpenShift's service serving x509 certificate secrets..
Importing keystore /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.pk12 to /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks...
Warning: Overwriting existing alias keycloak-https-key in destination keystore