Creating certificate for Keycloak server

I appreciate the mission of Let's Encrypt and all the effort of community members but damn SSL should be easier! :slight_smile:

I'm trying to secure a Keycloak server and I'm hitting walls everywhere I turn. Here's a quick overview of what's happened thus far and the problems I'm running into. Linux is not a familiar environment but I'd like it to be more so, so if anyone has any pointers explicitly spelled out I'd be very grateful:

  • Installed CentOS 8 minimal version
  • Did updates
  • Installed Java 1.8.0 as Keycloak requires this and is based on WildFly/Jboss
  • Installed Keycloak and did various config set up
  • Keycloak is running
  • Dutifully followed the instructions to install snapd - not sure why I wouldn't be able to use wget?
  • Installed Certbot
  • Tried getting a certificate using standalone and it said the challenge failed

Issues:

  • So, Keycloak runs on port 8080 and I believe Certbot is checking 80 by default
  • I tried --preferred-challenges to have it check on port 443 (for other reasons) but it's rejecting tls-sni
  • I honestly have no idea if this server is running apache, Nginx or something else, but it is a working Keycloak installation
  • I do have a subdomain pointing to the server and would be willing (and in fact this might be preferable) to do some sort of DNS challenge but that involves installing some other package? This isn't clear to me either.

I tried all last night to get past these barriers, googling everything and still did not succeed. For experienced web server folks this might be a walk in the park but for newbies... I know I have more challenges coming my way with a pkcs12 conversion, but we'll cross that bridge when we get to it. If I can get this cert issued and get it in the /etc/letsencrypt folder, I might have enough examples to get the rest done.

So, could anyone help with simple instructions on how to do the challenge using DNS - that avoids all the port issues and would seem the simplest way forward. Thanks folks, I really appreciate it.

1 Like

Hi @soundsessential

simple answer: That's client specific.

So check the documentation of the client you want to use.

Welcome Back to the Let's Encrypt Community :slightly_smiling_face:

There are a lot of variables in play here, especially those related to your DNS and hosting providers. It certainly should be possible to get this to work. At the very least you can perform manual dns-01 challenge(s) with certbot.

sudo certbot certonly --manual --preferred-challenges dns -d "yourdomain.com,www.yourdomain.com,*.yourdomain.com,whatever"

You can look into automating this approach with a DNS plugin that works for your DNS provider:

1 Like

Do you have anything already operating on port 80? If not, we can probably get standalone to work for you.

1 Like

Jonathan - thanks again for helping out. I still haven't managed to get the Ruby app up and running with SSL but that's on the back burner for another day. Perhaps this project is pushing me closer on that one too.

So, I have finally got standalone to work. I opened port 80 on the Linux box, changed port 80 to point to that machine in my router and the http challenge went through. I'd rather not have port 80 point at that machine but if I wish to auto renew then I think I have no option right?

Auto renew does seem easier with http than DNS so that's one benefit. I'm over this hurdle having downloaded a cert! Still more road lies ahead but one step at a time... :+1:

Regarding DNS, consider this to be, hopefully useful, feedback for wider adoption, but I had found that documentation previously in the link you kindly posted and had gone over it, figured I needed to install a plugin, but for the life of me couldn't find how to do that. Maybe it's staring me in the face. Maybe more experienced Linux developers just know, but it's a barrier for entry. SSL and encryption is essential but it's still too hard for those that are not immersed in it daily. Maybe a library of tutorials of various applications on various operating systems that people could follow step by step would help - I'd be happy to contribute for Keycloak. Maybe one day it's baked into Linux distributions by default and just works out of the box. Hopefully it gets easier over time for all.

Finally, I did try your DNS challenge code above and that did work, so thank you for that too. I will keep that handy in case of going to wildcard or dropping port 80 requirements. And in my lengthy searches, I did come across this for auto renewing via DNS and Go Daddy: Automating Let's Encrypt Certificate Renewal using DNS Challenge Type — Chariot Solutions

Perhaps one day I'll give that a go, for now I've got my cert and can continue the quest! :partying_face:

1 Like

I'll let you in on something. I've developed my own ACME client specifically targeted at GoDaddy shared hosting users (though it will work for anyone). It's a simple PHP file that you just drop into the webroot directory for the webserver that serves content over port 80. Go to the page in your browser, fill in your email, domain, and any subdomains then click a button and bam: there's your certificate, intermediate, and private key. Simple, simple. It does require a functioning webserver operating on port 80 though. It's in beta testing right now and should be released within the next couple of days.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.