Hello,
on installation of keycloak the corresponding join-script fails:
Running 50keycloak.inst failed (exitcode: 2)
When running the join-script manually by
univention-run-join-scripts --force --run-scripts 50keycloak.inst
in the join.log the following error is shown:
univention-run-join-scripts started
So 1. Jun 21:35:22 CEST 2025
univention-join-hooks: looking for hook type "join/pre-joinscripts" on server.mydomain.intranet
Found hooks:
RUNNING 50keycloak.inst
2025-06-01 21:35:26.565611296+02:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/keycloak/description/de
Setting ucs/web/overview/entries/admin/keycloak/description
Setting ucs/web/overview/entries/admin/keycloak/label
Setting ucs/web/overview/entries/admin/keycloak/link
Setting ucs/web/overview/entries/admin/keycloak/icon
Setting ucs/web/overview/entries/admin/keycloak/link-target
Module: create_portal_entries
No modification: cn=keycloak,cn=entry,cn=portals,cn=univention,dc=mydomain,dc=intranet
WARNING: cannot append cn=Domain Admins,cn=groups,dc=mydomain,dc=intranet to allowedGroups, value exists
Object exists: cn=ldapacl,cn=univention,dc=mydomain,dc=intranet
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,dc=mydomain,dc=intranet
Waiting for activation of the extension object 67keycloak: OK
Could not chdir to home directory /dev/null: Not a directory
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Multifile: /etc/postgresql/15/main/pg_hba.conf
Warning: The file '/etc/postgresql/11/main/pg_hba.conf' is not registered as an UCR template.
Multifile: /etc/postgresql/15/main/pg_hba.conf
Adding A record "ucs-sso-ng 192.168.0.50" to zone mydomain.intranet...
done
01.06.25 21:35:54.606 DEBUG_INIT
01.06.25 21:35:54.616 DEBUG_EXIT
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 453, in wrap_socket
cnx.do_handshake()
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 846, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 358, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 347, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 459, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",)
uring handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 668, in urlopen
**response_kw)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 402, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='ucs-sso-ng.mydomain.intranet', port=443): Max retries exceeded with url: /realms/master/protocol/openid-connect/token (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
I need help to debug this.
Best regards
sgat