I am trying to deploy an application that uses PostgreSQL as database. (The application is
Keycloak
). I have tried deploying it using Azure postgres single server and Azure postgres flexible server. I would prefer to deploy it using flexible server as it is newer, but unfortunatley I am getting an error when using flexible server. When using single server it is working fine.
The error log is as follows:
ERROR: SSL error: Certificates do not conform to algorithm constraints
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Algorithm constraints check failed on signature algorithm: SHA1withRSA
I found 2 links regarding this issue :
https://stackoverflow.com/questions/75697268/keycloak-on-azure-to-postgresql-certificates-do-not-conform-to-algorithm-constr
https://github.com/keycloak/keycloak/issues/17320#issuecomment-1461573077
These links says it's due to the postgres database using the older SHA1 algorithm, some give a workaround but none of them seem to make Postgresql flexible server work with the newer algorithm.
Can someone tell me how I can change the algorithm for postgres flexible server? I have tried appending &ssl_min_protocol_version=TLSv1.3 to the jdbc connection string, but it does not seem to work.
my connection string is: jdbc:postgresql://<postgresservername>.postgres.database.azure.com:5432/keycloak?sslmode=require&ssl_min_protocol_version=TLSv1.3
This effectively means that the flexible server cannot be used for keycloak. That is problematic IMO.
Has there been created a request on Azure Feedback as suggested in the answer?
@jesper I did manage to get this to work by downloading the DigiCert Global Root CA from this page: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl
I renamed it to AzurePostgres.crt in and put it in the 'docker' folder (from where my dockerfile is located). Then I added this to my dockerfile
COPY docker/AzurePostgres.crt /opt/keycloak/.postgresql/root.crt
The connection string parameters I use is ?sslmode=verify-full&ssl_min_protocol_version=TLSv1.3
Full dockerfile example I use to host keycloak in an azure app service:
# https://www.keycloak.org/server/containers
FROM quay.io/keycloak/keycloak:21.1 as builder
# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
# Configure a database vendor
ENV KC_DB=postgres
WORKDIR /opt/keycloak
RUN /opt/keycloak/bin/kc.sh build --cache=ispn
FROM quay.io/keycloak/keycloak:21.1
COPY --from=builder /opt/keycloak/ /opt/keycloak/
COPY docker/AzurePostgres.crt /opt/keycloak/.postgresql/root.crt
ENV KC_DB=postgres
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
(You may want to change the version number to the latest, but I've tested this with 21.1).
(Any other environment variables are added in Azure AppSettings).
Currently it runs on one instance, I have yet to figure out how to add a keycloak cache stack for when we want to run this on multiple instances.
@Hedgelot We understand that you are trying to use a newer algorithm with your Azure PostgreSQL flexible server but are encountering an error.
We wanted to verify that the flexible server does indeed use the older SHA1 algorithm. At this time, there is not a way to update the algorithm to the newer SHA256 algorithm.
The product group will need to make this change for customers. We invite you to create a feedback/product request over here on Azure Feedback to share your request and business justification so they can understand the ask. The product group watches the Azure Feedback site and should review your request.
We appreciate your understanding.
