Univention Bugzilla – Bug 55613
Empty /etc/apache2/sites-available/univention-keycloak.conf after installation
Last modified: 2023-02-01 08:50:52 CET
After installation of keycloak app on 5.0-2 errata556 an empty /etc/apache2/sites-available/univention-keycloak.conf is created: root@ucs:~# less /etc/apache2/sites-available/univention-keycloak.conf # Warning: This file is auto-generated and might be overwritten by # univention-config-registry. # Please edit the following file(s) instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch # univention-config-registry ueberschrieben werden. # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): # # /etc/univention/templates/files/etc/apache2/sites-available/univention-keycloak.conf # root@ucs:~# See also https://help.univention.com/t/keycloak-installtion-after-remove/21057 Therefor, also the join script fails, because it cannot connect to the Keycloak App at ucs-sso-ng.domain.net port 443. However, the template does exist, but is not used: root@ucs:~# cat /etc/univention/templates/files/etc/apache2/sites-available/univention-keycloak.conf @%@UCRWARNING=# @%@ @!@ sso_fqdn = configRegistry.get('keycloak/server/sso/fqdn', 'ucs-sso-ng.%s' % configRegistry.get('domainname')) ssofqdn = {'ssofqdn': sso_fqdn} import os.path ... The UCRV is set to the correct value: root@ucs:~# ucr search keycloak/server/sso/fqdn keycloak/server/sso/fqdn: ucs-sso-ng.${domain}.net ... and the FQDN is resolved (to its IPv4 address, no IPv6 configured for that host though). So, this seems different to the case of #55569 as the UCRV does exist and points to the default value of ucs-sso-ng.${domainname} (adding CC: directly to DW as suggested by IS)
It works on my primary DN UCS 5.0-2 errata556. How is the system configured, are there additional apps installed? -> univention-app info Please also attach the appcenter.log to see the installation logs.
See attached appcenter.log and here's the univention-app info: UCS: 5.0-2 errata556 Installed: admin-dashboard=2.1 keycloak=19.0.2-ucs1 letsencrypt=2.0.0-2 mailserver=12.0 prometheus-alertmanager=1.0 prometheus-node-exporter=2.0.1 self-service=5.0 self-service-backend=5.0 4.4/openid-connect-provider=2.2-konnect-0.33.11-2 4.4/prometheus=2.35.0-5 Hope this helps...
As theorized in the help article. My guess is that this line evaluates to False: if enable_virtualhost and os.path.isfile('/etc/univention/ssl/%(ssofqdn)s/cert.pem' % ssofqdn) and os.path.isfile('/etc/univention/ssl/%(ssofqdn)s/private.key' % ssofqdn) Therefore no proper apache conf is written. I would guess the certificates have been removed. Don't know why, though.
Indeed "ucr get ucs/server/sso/virtualhost" results into "false". No idea why, though. Maybe it's because I installed the Keycloak App months ago, shortly after it hit the App Center, but never configured it properly and then removed it again? When I set the UCRV to true, the Apache config is written as expected, the join script successfully runs and the /admin/ interface of keycloak is working. So, no idea why the UCRV wasn't set to true, but when saving the App Settings page, I would expected that the variable should be set by the configuration. Maybe that's an issue with uninstallations and re-installations?