Problem: 92univention-management-console-web-server.inst fails with Could not connect to keycloak server

Knowledge Base Community
, , ,
1

Problem:

ERROR: Could not connect to keycloak server on https://ucs-sso-ng.univention-school.intranet/:
 
        HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', port=443): Max retries exceeded with url: // (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:992)')))
 
Please check the UCR settings for keycloak/server/sso/fqdn and keycloak/server/sso/path,
on the Keycloak App server and check that it matches the UCR setting for ucs/server/sso/uri on this host.
Make sure that keycloak and apache are running on the keycloak server!
HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', port=443): Max retries exceeded with url: // (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:992)')))

Solution:

  1. Make sure keycloak/server/sso/fqdn is set correctly on the server.

  2. Check the certificates are present in /usr/local/share/ca-certificates/

  3. Make sure the certificates are PEM Certificates and not text

    file /usr/local/share/ca-certificates/MyOwnRootCA.crt
/usr/local/share/ca-certificates/MyOwnRootCA.crt: Unicode text, UTF-8 text

    :negative_squared_cross_mark:

    file /etc/ssl/certs/MyOwnSubCA1.pem
/etc/ssl/certs/MyOwnSubCA1.pem: PEM certificate

    :white_check_mark:

  4. univention-keycloak get-keycloak-base-url
    https://ucs-sso-ng.univention-school.intranet

  5. Check there is no policy setting the old saml path to umc/saml/idp-server
    umc/saml/idp-server is overridden by scope "ldap"

    ucr set umc/saml/idp-server='https://ucs-sso-ng.univention-school.intranet/realms/ucs/protocol/saml/descriptor'

Investigation:

openssl s_client -connect ucs-sso-ng.univention-school.intranet:443 -showcerts

should show all certificates. It validates the certificates different then curl -v !
univention-keycloak get-keycloak-base-url should work on the server. This should work in order to fisnish the joinscript.

HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection
object at 0x7f8f17f8a0b8>: Failed to establish a new connection: [Errno -2] Name or service not known'))
ERROR: Could not connect to keycloak server on https://ucs-sso-ng.univention-school.intranet/:

HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSCon
nection object at 0x7f8f17f8a0b8>: Failed to establish a new connection: [Errno -2] Name or service not known'))

Please check the UCR settings for keycloak/server/sso/fqdn and keycloak/server/sso/path,
and make sure that keycloak and apache are running on the keycloak server!

If you are using your own certificates, check this article starting with step4a

1 Like