Connection refused for Keycloak certs URL

daveclendscape · March 25, 2024, 6:56pm

Hello,

We are trying to create a Java POC with self managed local Camunda 8. We are using the camunda-platform project branch stable/8.4 which creates the docker containers.

We couldn’t get past the error with basic authentication mentioned here:

So we are trying to use Keycloak instead. It looks like we are now authenticating but when trying to make a call to Tasklist like below:

    TaskSearch ts = new TaskSearch().setProcessDefinitionKey("agreement_review");
    TaskList tasksFromInstance = camundaTaskListClient.getTasks(ts);

We get the following error in our app:

2024-03-25T18:27:34.266Z ERROR 43900 — [nio-9001-exec-4] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path threw exception [Request processing failed: io.camunda.tasklist.exception.TaskListException: Error searching tasks] with root cause

io.camunda.tasklist.generated.invoker.ApiException: searchTasks call failed with: 302 - [no body]
at io.camunda.tasklist.generated.api.TaskApi.getApiException(TaskApi.java:68) ~[camunda-tasklist-client-java-8.4.0.3.jar:na]
at io.camunda.tasklist.generated.api.TaskApi.searchTasksWithHttpInfo(TaskApi.java:577) ~[camunda-tasklist-client-java-8.4.0.3.jar:na]
at io.camunda.tasklist.generated.api.TaskApi.searchTasks(TaskApi.java:551) ~[camunda-tasklist-client-java-8.4.0.3.jar:na]
at io.camunda.tasklist.CamundaTaskListClient.getTasks(CamundaTaskListClient.java:443) ~[camunda-tasklist-client-java-8.4.0.3.jar:na]

Looking at the tasklist container log I can see the following error:

Caused by: org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: Couldn’t retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/certs”: Connection refused
2024-03-25T18:32:38.116246812Z at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:173) ~[spring-security-oauth2-jose-6.1.7.jar!/:6.1.7]

Can we disable certificates or do we need to load/save the ones defined in Keycloak (http://localhost:18080/auth/admin/master/console/#/camunda-platform/realm-settings/keys) somewhere?

Thanks in advance for any help,
Dave.

Alex_Voloshyn · March 26, 2024, 10:41am

Hi @daveclendscape
Have you tried to set the SSL to None?

daveclendscape · March 26, 2024, 12:35pm

Hi @Alex_Voloshyn,

Thanks for the suggestion, I tried that but got the same result. I have found simply removing the line SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI from docker-compose.yaml fixed my problem.

system · April 2, 2024, 12:35pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.