There is no info for UCRV "keycloak/server/sso/fqdn", but it should be.
It is an app setting, you must set it with the UMC App Center module or with by using univention-app. App settings are also represented as UCR variables. It is documented here: https://docs.software-univention.de/keycloak-app/latest/configuration.html#envvar-keycloak-server-sso-fqdn
I was aware of the function of the UCRV. I wanted it to be uniform, so regardless of the fact that this is in the manual, the description should be available for each UCR variable via CLI.
I think there is a bug about it, but i can not find it. Having just a UCRv info will lead people into thinking that it is just a UCR variable, and wonder why it does not work. We need to make it explizit for every App setting that they may not be changed via UCR, or prevent modifying them via UCR at all.
We need to document that keycloak/server/sso/fqdn needs to be set on all servers in the domain. Otherwise, 92univention-management-console-web-server.inst will fail because univention-keycloak get-keycloak-base-url fails. root@srv-bbs2-edu:~# univention-keycloak get-keycloak-base-url HTTPSConnectionPool(host='ucs-sso-ng.example.de', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f8f17f8a0b8>: Failed to establish a new connection: [Errno -2] Name or service not known')) ERROR: Could not connect to keycloak server on https://ucs-sso-ng.example.de/: HTTPSConnectionPool(host='ucs-sso-ng.example.de', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSCon nection object at 0x7f8f17f8a0b8>: Failed to establish a new connection: [Errno -2] Name or service not known')) Please check the UCR settings for keycloak/server/sso/fqdn and keycloak/server/sso/path, and make sure that keycloak and apache are running on the keycloak server!
(In reply to Erik Damrose from comment #3) > I think there is a bug about it, but i can not find it. Having just a UCRv > info will lead people into thinking that it is just a UCR variable, and > wonder why it does not work. We need to make it explizit for every App > setting that they may not be changed via UCR, or prevent modifying them via > UCR at all. So we use this bug, to make that explicit?
(In reply to Christina Scheinig from comment #5) > (In reply to Erik Damrose from comment #3) > > I think there is a bug about it, but i can not find it. Having just a UCRv > > info will lead people into thinking that it is just a UCR variable, and > > wonder why it does not work. We need to make it explizit for every App > > setting that they may not be changed via UCR, or prevent modifying them via > > UCR at all. > > So we use this bug, to make that explicit? I guess the bug you are looking for is this one: https://forge.univention.org/bugzilla/show_bug.cgi?id=57469
Cited from Bug 57687: > Currently the documentation specifies e.g. in 'External FQDN different from > internal UCS name' for 'Each Keycloak instance in your UCS domain' to > perform the following configuration: > > SSO_FQDN="sso.internet.domain" > ucr set keycloak/server/sso/fqdn="${SSO_FQDN}" > > This is also mandatory on replica and non-keycloak systems, otherwise tools > like univention-keycloak will result in the following error message: > > root@ucs-replica:~# univention-keycloak get-keycloak-base-url > HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', port=443): > Max retries exceeded with url: / (Caused by > SSLError(SSLCertVerificationError("hostname > 'ucs-sso-ng.univention-school.intranet' doesn't match either of > 'ucs-primary.univention-school.intranet', 'ucs-primary'"))) > ERROR: Could not connect to keycloak server on > https://ucs-sso-ng.univention-school.intranet/: > > HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', > port=443): Max retries exceeded with url: / (Caused by > SSLError(SSLCertVerificationError("hostname > 'ucs-sso-ng.univention-school.intranet' doesn't match either of > 'ucs-primary.univention-school.intranet', 'ucs-primary'"))) > > Please check the UCR settings for keycloak/server/sso/fqdn and > keycloak/server/sso/path, > and make sure that keycloak and apache are running on the keycloak server!
*** Bug 57687 has been marked as a duplicate of this bug. ***