Keycloak SSO Failing

[tsrats]

Hello all!

I am trying to implement SSO using a local Keycloak install, and having a tough time. Netbox and Keycloak both run as containers in Kubernetes. I have configured the remote auth for Keycloak, and also inserted the root CA for my deployment into the Netbox container. When I try to log in via Keycloak, I am redirected to the login, but upon returning to Netbox, I get the error:

Authentication failed: HTTPSConnectionPool(host='keycloak.local.com', port=443): Max retries exceeded with url: /auth/realms/home/protocol/openid-connect/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

I can get "further" by adding SOCIAL_AUTH_VERIFY_SSL: False to my config, but then I get the error:

Signature verification failed

Here is my config for netbox:

remoteAuth:
autoCreateUser: false
backend: social_core.backends.keycloak.KeycloakOAuth2
enabled: true
extraConfig:
- values:
SOCIAL_AUTH_KEYCLOAK_KEY: 'netbox'
SOCIAL_AUTH_KEYCLOAK_SECRET: 'secret_here'
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: 'MIIB....'
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: 'https://keycloak.local.com/auth/realms/home/protocol/openid-connect/auth'
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: 'https://keycloak.local.com/auth/realms/home/protocol/openid-connect/token'
SOCIAL_AUTH_KEYCLOAK_ID_KEY: 'email'
SOCIAL_AUTH_JSONFIELD_ENABLED: True
SOCIAL_AUTH_VERIFY_SSL: False

I followed this document (https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html) to set the Keycloak settings right.

Any help would be greatly appreciated!

[tsrats]

Ah, writing this out must have helped a bit. I realized there are 2 RS256 keys in my Keycloak, and I was using the Public Key from the one with Provider: rsa-enc-generated. I needed to use the one from rsa-generated.

This did not fix the SSL issue, however :(

[candlerb]

So what error do you now see?

[tsrats]

I still have the error:

Authentication failed: HTTPSConnectionPool(host='keycloak.local.com', port=443): Max retries exceeded with url: /auth/realms/home/protocol/openid-connect/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

I have added the CA certificate to the container, and if I enter the container I can curl my Keycloak's well-known URL and have no issues, as well as test with python requests and have no SSL errors. I'm at a loss for sure.

[jellestoel]

I still have the error:

Authentication failed: HTTPSConnectionPool(host='keycloak.local.com', port=443): Max retries exceeded with url: /auth/realms/home/protocol/openid-connect/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

I have added the CA certificate to the container, and if I enter the container I can curl my Keycloak's well-known URL and have no issues, as well as test with python requests and have no SSL errors. I'm at a loss for sure.

Some python libaries use their own cacerts bundle instead of system ca-certificates, the very popular requests library does this for instance
https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu

try to append your root certificate to the certificate bundles in your python module folders
find venv/lib/python3.9 -type f -name "*.pem"

[tsrats]

Yay!! Adding this step to the Dockerfile worked for me:

RUN cat /root/rootCA.crt >> /opt/netbox/venv/lib/python3.9/site-packages/certifi/cacert.pem