This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 66%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
I am trying to deploy an application that uses PostgreSQL as database. (The application is Keycloak). I have tried deploying it using Azure postgres single server and Azure postgres flexible server. I would prefer to deploy it using flexible server as it is newer, but unfortunatley I am getting an error when using flexible server. When using single server it is working fine. The error log is as follows:
ERROR: SSL error: Certificates do not conform to algorithm constraints
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Certificates do not conform to algorithm constraints
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Algorithm constraints check failed on signature algorithm: SHA1withRSA
I found 2 links regarding this issue : https://stackoverflow.com/questions/75697268/keycloak-on-azure-to-postgresql-certificates-do-not-conform-to-algorithm-constr
https://github.com/keycloak/keycloak/issues/17320#issuecomment-1461573077
These links says it's due to the postgres database using the older SHA1 algorithm, some give a workaround but none of them seem to make Postgresql flexible server work with the newer algorithm.
Can someone tell me how I can change the algorithm for postgres flexible server? I have tried appending &ssl_min_protocol_version=TLSv1.3 to the jdbc connection string, but it does not seem to work.
my connection string is: jdbc:postgresql://<postgresservername>.postgres.database.azure.com:5432/keycloak?sslmode=require&ssl_min_protocol_version=TLSv1.3
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 96%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
This effectively means that the flexible server cannot be used for keycloak. That is problematic IMO.
Has there been created a request on Azure Feedback as suggested in the answer?
@jesper I did manage to get this to work by downloading the DigiCert Global Root CA from this page: https://video2.skills-academy.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl
I renamed it to AzurePostgres.crt in and put it in the 'docker' folder (from where my dockerfile is located). Then I added this to my dockerfile
COPY docker/AzurePostgres.crt /opt/keycloak/.postgresql/root.crt
The connection string parameters I use is ?sslmode=verify-full&ssl_min_protocol_version=TLSv1.3
Full dockerfile example I use to host keycloak in an azure app service:
# https://www.keycloak.org/server/containers
FROM quay.io/keycloak/keycloak:21.1 as builder
# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
# Configure a database vendor
ENV KC_DB=postgres
WORKDIR /opt/keycloak
RUN /opt/keycloak/bin/kc.sh build --cache=ispn
FROM quay.io/keycloak/keycloak:21.1
COPY --from=builder /opt/keycloak/ /opt/keycloak/
COPY docker/AzurePostgres.crt /opt/keycloak/.postgresql/root.crt
ENV KC_DB=postgres
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
(You may want to change the version number to the latest, but I've tested this with 21.1).
(Any other environment variables are added in Azure AppSettings).
Currently it runs on one instance, I have yet to figure out how to add a keycloak cache stack for when we want to run this on multiple instances.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 31%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Is there any updates for this? Sha 1 certitifcates have been deprecated since 2021 (https://video2.skills-academy.com/en-us/lifecycle/announcements/sha-1-signed-content-retired)
Anything using Java 17 will not connect to a postgresql server using a sha1 certitifcate now.
@Hedgelot We understand that you are trying to use a newer algorithm with your Azure PostgreSQL flexible server but are encountering an error. We wanted to verify that the flexible server does indeed use the older SHA1 algorithm. At this time, there is not a way to update the algorithm to the newer SHA256 algorithm. The product group will need to make this change for customers. We invite you to create a feedback/product request over here on Azure Feedback to share your request and business justification so they can understand the ask. The product group watches the Azure Feedback site and should review your request. We appreciate your understanding.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 33%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
This is a stickling issue for us too (mysql flexi server) , we too notice flexi server does not work well with our keycloak deployment.
I would suggest azure to start supporting modern algo/ or let the algo to be changed.
Never had such issues with mysql stand alone or aurora or hosted mysql or most other hosted and cloud mysqls.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 54%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
I tried to add Azure Feedback but on https://feedbackportal.microsoft.com/feedback/ there is no Azure category.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 61%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Are there any updates regarding this issue? We run into the same problem using MySQL Flexible Server
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 81%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUK%3C/text%3E%3C/svg%3E)
This is a pressing issue, @brtrach-MSFT please talk to your product team internally (which I think should also be part of your job here) and make them aware, that your product (as Microsoft) essentially has a security vulnerability (see #Attacks in https://en.wikipedia.org/wiki/SHA-1) and also makes the service unusable for a vast amount of use cases.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 7.000000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
There was an announcement via mail to the users of PostgreSQL Flexible that the certificate will be changed in May 2024 and the new cert "Microsoft RSA Root Certificate Authority 2017" uses sha384.
https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
Also there is a feedback in the Azure Community here:
https://feedback.azure.com/d365community/idea/2cc1f0ed-1931-ee11-a81c-000d3ae37d1e
Action Required for Azure Database for PostgreSQL – Flexible Server to update your trusted root store, if you are doing certificate pinning
You're receiving this notice because you use Azure Database for PostgreSQL – Flexible Server
In May 2024, we’ll begin updating Azure Database for PostgreSQL Flexible Server to use TLS certificates from Microsoft RSA Root Certificate Authority 2017. If your apps use certificate pinning, you’ll need to update your trusted root store to accept this root CA in addition to existing DigiCert Global Root CA.
Required action
Please download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA certificates from the following URI. Generate a combined CA certificate store with both DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 certificates are included. For Java (PostgreSQL JDBC) users using DefaultJavaSSLFactory, please use the following certificate:
keytool -importcert -alias PostgreSQLServerCACert2 -file D:\ Microsoft ECC Root Certificate Authority 2017.crt.pem -keystore truststore -storepass password -noprompt
Then replace the original keystore file with the new generated one:
System.setProperty("javax.net.ssl.trustStorePassword","password");
For .NET (Npgsql) users on Windows, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in Windows Certificate Store Trusted Root Certification Authorities. For .NET (Npgsql) users on Linux using SSL_CERT_DIR, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in the directory indicated by SSL_CERT_DIR. If any certificates don't exist, please create the missing certificate file. For other PostgreSQL client users, you can merge two CA certificate files like the following format:
(Root CA1: DigiCertGlobalRootCA.crt.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)
-----END CERTIFICATE-----
Replace the original root CA pem file with the combined root CA file and restart your application/client.
If you’re using SSL/TLS, you don't need to restart the database server to start using the new root CA certificate. This is a client-side change, and the incoming client connections need to use the new certificate to ensure that they can connect to the database server. If you aren’t using SSL/TLS, you don’t need to update the root CA certificate and no further action is required. Action Required for Azure Database for PostgreSQL – Flexible Server to update your trusted root store, if you are doing certificate pinning
You're receiving this notice because you use Azure Database for PostgreSQL – Flexible Server
In May 2024, we’ll begin updating Azure Database for PostgreSQL Flexible Server to use TLS certificates from Microsoft RSA Root Certificate Authority 2017. If your apps use certificate pinning, you’ll need to update your trusted root store to accept this root CA in addition to existing DigiCert Global Root CA.
Required action
Please download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA certificates from the following URI. Generate a combined CA certificate store with both DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 certificates are included. For Java (PostgreSQL JDBC) users using DefaultJavaSSLFactory, please use the following certificate:
Then replace the original keystore file with the new generated one:
System.setProperty("javax.net.ssl.trustStorePassword","password");
For .NET (Npgsql) users on Windows, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in Windows Certificate Store Trusted Root Certification Authorities. For .NET (Npgsql) users on Linux using SSL_CERT_DIR, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in the directory indicated by SSL_CERT_DIR. If any certificates don't exist, please create the missing certificate file. For other PostgreSQL client users, you can merge two CA certificate files like the following format:
(Root CA1: DigiCertGlobalRootCA.crt.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)
-----END CERTIFICATE-----
Replace the original root CA pem file with the combined root CA file and restart your application/client.
If you’re using SSL/TLS, you don't need to restart the database server to start using the new root CA certificate. This is a client-side change, and the incoming client connections need to use the new certificate to ensure that they can connect to the database server. If you aren’t using SSL/TLS, you don’t need to update the root CA certificate and no further action is required.