Bug 56825 – Let's encrypt challenge fails for Keycloak domain because of HTTPS redirect

Bug 56825 - Let's encrypt challenge fails for Keycloak domain because of HTTPS redirect


Summary:	Let's encrypt challenge fails for Keycloak domain because of HTTPS redirect

Status:	RESOLVED WORKSFORME

Product:	UCS
Classification:	Unclassified
Component:	Keycloak
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-11-14 18:46 CET by Jan-Luca Kiok
Modified:	2024-02-15 16:59 CET (History)
CC List:	3 users (show)

See Also:	55365
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	External feedback, Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan-Luca Kiok

2023-11-14 18:46:31 CET

Since version 21.1.2-ucs2 from Keycloak redirects from http to https. While preferable in most cases this breaks Let's encrypts DNS challenge.

As a workaround the `<VirtualHost *:80>` directive can be removed from /etc/apache2/sites-available/univention-keycloak.conf and after reloading the apache config the app should be able to refresh the certificates, but this breaks the redirect of course while re-adding the redirect will break the next automatic refresh.

Comment 1 Philipp Hahn

2023-11-14 19:20:13 CET

(In reply to Jan-Luca Kiok from comment #0)
> Since version 21.1.2-ucs2 from Keycloak redirects from http to https. While
> preferable in most cases this breaks Let's encrypts DNS challenge.

Really *DNS* challenge?

- [HTTP-01 challenge](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) required you to put the file on your web-server, where forced http->https-redirection would interfer; DNS is only required to make looking up your domain work for the Let's Encrypt robot.

- [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) only asks you to add a TXT-DNS-RR; no http-Server is needed at all.

Comment 2 Jan-Luca Kiok

2023-11-15 09:06:26 CET

Oops, of course, you are right - The HTTP challenge is affected.

Comment 4 Felix Botner

2024-02-15 14:44:37 CET

Hmm i can no reproduce this, asked on help for more info.

Comment 5 Felix Botner

2024-02-15 15:36:59 CET

Feedback from help: problem seems to be gone.

Please re-open if this happens again.