Keycloak installation after remove

Apps & App Center
#1

We have a UCS 5.0.2 server in operation. We had installed and then reinstalled Keycloak on a test basis.
Now we wanted to install Keycloak again and get the following errors when running /usr/lib/univention-install/50keycloak.inst:

Waiting for activation of the extension object 67keycloak: OK
Could not chdir to home directory /dev/null: Not a directory
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Multifile: /etc/postgresql/11/main/pg_hba.conf
Multifile: /etc/postgresql/11/main/pg_hba.conf
Adding A record “ucs-sso-ng 10.40.32.9” to zone ****.**…
done
Restarting keycloak …
estarting keycloak … done
Container is healthy, configuring Keycloak
Using bind-dn:
Traceback (most recent call last):
File “/usr/sbin/univention-keycloak”, line 1356, in
exit(main())
File “/usr/sbin/univention-keycloak”, line 1352, in main
return opt.func(opt) or 0
File “/usr/sbin/univention-keycloak”, line 1143, in init_keycloak_ucs
kc_admin = KeycloakAdmin(server_url=opt.keycloak_url, username=opt.binduser, password=opt.bindpwd, realm_name=opt.realm, user_realm_name=DEFAULT_REALM, verify=opt.no_ssl_verify)
File “/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py”, line 96, in init
self.get_token()
File “/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py”, line 1786, in get_token
self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type)
File “/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py”, line 201, in token
return raise_error_from_response(data_raw, KeycloakGetError)
File “/usr/lib/python3/dist-packages/keycloak/exceptions.py”, line 108, in raise_error_from_response
response_body=response.content)
keycloak.exceptions.KeycloakGetError: 404: b’\n\n404 Not Found\n\n

Not Found

\n

The requested URL was not found on this server.

\n
\nApache/2.4.38 (Univention) Server at ucs-sso-ng.hkn.eu Port 443\n\n’
/usr/lib/univention-install/50keycloak.inst: FATAL:

On a test system I was able to recreate the error. Here is the way to the error.

  1. install Keycloak
    2.remove Keycloak
    3.install Keycloak again

The Apache conf is also not written. Does anyone have any idea what this could be due to?
All keycloak remnants were removed before reinstalling. (UCR,LDAP,POSTGRES)

How can I proceed now?

Kind Regards

Dominik

#2

Same over here: Keycloak app installs and fails to run because Apache config is empty:

root@ucs:~# less /etc/apache2/sites-available/univention-keycloak.conf
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/apache2/sites-available/univention-keycloak.conf
#


root@ucs:~#

Contrary to your post the Apache config was missing right from the start, but removing and re-installing didn’t help either.

Another problem is that the join script doesn’t work but through a traceback:

RUNNING 50keycloak.inst
2023-01-27 20:10:49.123037165+01:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/keycloak/description/de
Setting ucs/web/overview/entries/admin/keycloak/description
Setting ucs/web/overview/entries/admin/keycloak/label
Setting ucs/web/overview/entries/admin/keycloak/link
Setting ucs/web/overview/entries/admin/keycloak/icon
Setting ucs/web/overview/entries/admin/keycloak/link-target
Module: create_portal_entries
No modification: cn=keycloak,cn=entry,cn=portals,cn=univention,dc=domain,dc=net
WARNING: cannot append cn=Domain Admins,cn=groups,dc=domain,dc=net to allowedGroups, value exists
Object exists: cn=ldapacl,cn=univention,dc=domain,dc=net
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,dc=domain,dc=net

Waiting for activation of the extension object 67keycloak: OK
Could not chdir to home directory /dev/null: Not a directory
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Enabling site univention-keycloak.
To activate the new configuration, you need to run:
  systemctl reload apache2
Warning: The file '/etc/postgresql/11/main/pg_hba.conf' is not registered as an UCR template.
Adding A record "ucs-sso-ng 31.172.x.y" to zone domain.net...
done
27.01.23 20:11:01.267  DEBUG_INIT
Restarting keycloak ...
  ^MRestarting keycloak ...  done ^M
Container is healthy, configuring Keycloak
Using bind-dn:
Traceback (most recent call last):
  File "/usr/sbin/univention-keycloak", line 1356, in <module>
    exit(main())
  File "/usr/sbin/univention-keycloak", line 1352, in main
    return opt.func(opt) or 0
  File "/usr/sbin/univention-keycloak", line 1143, in init_keycloak_ucs
    kc_admin = KeycloakAdmin(server_url=opt.keycloak_url, username=opt.binduser, password=opt.bindpwd, realm_name=opt.realm, user_realm_name=DEFAULT_REALM, verify=opt.no_ssl_verify)
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__
    self.get_token()
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token
    self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type)
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token
    return raise_error_from_response(data_raw, KeycloakGetError)
  File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response
    response_body=response.content)
keycloak.exceptions.KeycloakGetError: 404: b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.38 (Univention) Server at ucs-sso-ng.domain.net Port 443</address>\n</body></html>\n'
/usr/lib/univention-install/50keycloak.inst: FATAL:
EXITCODE=2
20e0f3c2-1e39-4672-9b87-f3b28de99b3d
univention-join-hooks: looking for hook type "join/post-joinscripts" on ucs.domain.net
Found hooks:
1 Like
#3

Hi,

hard to tell what exactly went wrong here. I just repeated the steps and it did not break. The problem is the apache file. It was written. It was just empty. (Well, the warning was written anyway)

If you take a look at the template that should have written a proper apache config:

head /etc/univention/templates/files/etc/apache2/sites-available/univention-keycloak.conf

[...]
if enable_virtualhost and os.path.isfile('/etc/univention/ssl/%(ssofqdn)s/cert.pem' % ssofqdn) and os.path.isfile('/etc/univention/ssl/%(ssofqdn)s/private.key' % ssofqdn):
[...]

You notice the if. Can you check:

  • ucr get ucs/server/sso/virtualhost
  • ls /etc/univention/ssl/ucs-sso-ng.$(ucr get domainname)/cert.pem
  • ls /etc/univention/ssl/ucs-sso-ng.$(ucr get domainname)/private.key

The last two points may differ if you overwrote the FQDN of you keycloak: ucr get keycloak/server/sso/fqdn. Maybe these certificates are missing? Which server role have you installed Keycloak on? If it is not the Primary Directory Node, do these files exist there?

Kind regards,
Dirk

3 Likes
#4

I can confirm that when this UCRV is set to false, the Apache config file is empty and setting ucs/server/sso/virtualhost=true will fix this and generates a working Apache config.

However it is unclear to me, why the UCRV is set to false after editing & saving the App Settings page for Keycloak?

For completeness:
The SSL cert does exist and is valid and the keycloak/server/sso/fqdn is the default ucs-sso-ng.
But I remember that I set the SSO FQDN in the past (months ago, shortly after the app hit the App Center) to a different FQDN. Maybe this is the root cause of this issue?

2 Likes
#5

Thank you!!!
It works fine!!!

Mastodon