Currently the documentation specifies e.g. in 'External FQDN different from internal UCS name' for 'Each Keycloak instance in your UCS domain' to perform the following configuration: SSO_FQDN="sso.internet.domain" ucr set keycloak/server/sso/fqdn="${SSO_FQDN}" This is also mandatory on replica and non-keycloak systems, otherwise tools like univention-keycloak will result in the following error message: root@ucs-replica:~# univention-keycloak get-keycloak-base-url HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'ucs-sso-ng.univention-school.intranet' doesn't match either of 'ucs-primary.univention-school.intranet', 'ucs-primary'"))) ERROR: Could not connect to keycloak server on https://ucs-sso-ng.univention-school.intranet/: HTTPSConnectionPool(host='ucs-sso-ng.univention-school.intranet', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'ucs-sso-ng.univention-school.intranet' doesn't match either of 'ucs-primary.univention-school.intranet', 'ucs-primary'"))) Please check the UCR settings for keycloak/server/sso/fqdn and keycloak/server/sso/path, and make sure that keycloak and apache are running on the keycloak server!
might be fixed by https://forge.univention.org/bugzilla/show_bug.cgi?id=57459, depending on the implementation. As the exact case / issue differs and there is no patch available, this is a separat report regarding the documentation update.
I have moved the information to Bug 57195, let's consolidate everything there. *** This bug has been marked as a duplicate of bug 57195 ***