sudo apt openssl

• Create a ssl certificade using openssl

openssl req -x509 -sha256 -days 365 -newkey rsa:4096 -keyout rootCA.key -out rootCA.crt -config san.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = California
L = San Francisco
O = My Company
CN = mydomain.com  # MUST match your domain

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydomain.com    # Domain name
IP.1 = 192.168.1.100    # Server IP

# Create private key
openssl genrsa -out domain.key 2048
# Create CSR
openssl req -new -key domain.key -out domain.csr -config san.cnf
# Sign with CA
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in eras.csr -out eras.crt -days 365 -CAcreateserial -extensions v3_req -extfile san.cnf

openssl x509 -in eras.crt -outform der -out eras.der

openssl pkcs12 -inkey eras.key -in eras.crt -export -out eras-backend.pfx

chmod 644 eras.key
chmod 644 eras.crt
chmod 644 eras-backend.pfx

server {
    listen 80;
    listen [::]:80;
    server_name localhost;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    
    root /usr/share/nginx/html;
    index index.html;
    
    location / {
        try_files $uri $uri/ /index.html;
    }
}

"options": {
    "outputPath": "dist/eras-fe",
    "index": "src/index.html",
    "baseHref": "/" // Add this line
}

export const environment = {
  production: false,
  apiUrl: 'your-api-url', //must be with https
  clientId: 'your-client-id-from-google-oauth',
  keycloak: {
    url: 'keycloak.server', ////must be with https
    realm: 'ERAS-realm',
    clientId: 'public-client'
  }
};

FROM nginx:alpine

COPY --from=build /app/dist/eras-fe /usr/share/nginx/html

# Expose ports
EXPOSE 80
EXPOSE 443

nginx:
    build:
      context: ./ERAS-FE
      dockerfile: Dockerfile.nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/ssl/certs/domain.crt:/etc/nginx/ssl/nginx.crt:ro
      - /etc/ssl/certs/domain.key:/etc/nginx/ssl/nginx.key:ro
      - /etc/nginx/conf.d/nginx.conf:/etc/nginx/conf.d/default.conf:ro
    depends_on:
      - frontend
      - backend
    networks:
      - eras_network

To enable HTTPS in your container, we need to generate an SSL/TLS certificate. In this case, we'll generate a self-signed certificate for development environments.

To enable HTTPS in your container, we need to generate an SSL/TLS certificate. In this case, we'll generate a self-signed certificate for development environments.

1- Open the terminal and run the following commands:

dotnet dev-certs https -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p $CREDENTIAL_PLACEHOLDER$
dotnet dev-certs https --trust

• $CREDENTIAL_PLACEHOLDER$: Replace this with a password for the certificate.
• The first command generates the .pfx certificate file in the ~/.aspnet/https directory.
• The second command trusts the generated certificate on your local machine.

For Docker Compose to recognize and use the generated certificate, you need to create a docker-compose.yml file in the root of your project.

1- Create the docker-compose.yml file with the following content:

version: '3.4'

services:
  webapp:
    image: mcr.microsoft.com/dotnet/samples:aspnetapp
    ports:
      - "80:80"
      - "443:443"
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=https://+:443;http://+:80
      - KESTREL_CERTIFICATE_PASSWORD=password
      - KESTREL_CERTIFICATE_PATH=/https/aspnetapp.pfx
    volumes:
      - ~/.aspnet/https:/https:ro

• ASPNETCORE_Kestrel__Certificates__Default__Password=password: Replace this with the password you used to generate the certificate.
• ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx: Specifies the location of the certificate file inside the container.
• [Let's Encrypt](volumes: Maps the ~/.aspnet/https directory (where the certificate is stored) to /https inside the container, allowing the container to access the .pfx file.)

Modify the appsettings.json file to configure the Kestrel server:

"Kestrel": {
  "Endpoints": {
    "Https": {
      "Url": "https://localhost:5001",
      "Certificate": {
        "Path": "%KESTREL_CERTIFICATE_PATH%",
        "Password": "%KESTREL_CERTIFICATE_PASSWORD%"
      }
    }
  }
}

Then, update Program.cs:

var builder = WebApplication.CreateBuilder(args);

var certPath = Environment.GetEnvironmentVariable("KESTREL_CERTIFICATE_PATH");
var certPassword = Environment.GetEnvironmentVariable("KESTREL_CERTIFICATE_PASSWORD");

builder.WebHost.ConfigureKestrel(options =>
{
    options.ListenAnyIP(5001, listenOptions =>
    {
        if (!string.IsNullOrEmpty(certPath) && !string.IsNullOrEmpty(certPassword))
        {
            listenOptions.UseHttps(certPath, certPassword);
        }
        else
        {
 
        }
    });
});

var app = builder.Build();
app.Run();

• Redirect HTTP to HTTPS using middleware:

app.UseHttpsRedirection();

• Use HSTS (HTTP Strict Transport Security):

app.UseHsts();

• Use the SSL Labs Test (SSL Labs) to verify the SSL configuration.
• Check for certificate expiration and automate its renewal (e.g., using Certbot for Let's Encrypt).
• Monitor logs for security warnings and errors.

Following these steps ensures secure communication between backend services and clients. Proper SSL configuration in .NET helps prevent security breaches and ensures compliance with best security practices.

This article presents a detailed and tested guide for deploying a Keycloak server using Docker and SSL/TLS certificates generated by Let's Encrypt. The instructions are based on reliable sources and have been validated to ensure a successful process.

The guide was originally written in 2021 and updated in 2023. It is designed to streamline the configuration process and facilitate the creation of environments for demos, proofs of concept, or tests in production.

Before you begin, make sure you meet the following prerequisites:

• Operating System: Ubuntu 20.04 or later.
• DNS: Ensure you have a Fully Qualified Domain Name (FQDN) that is resolvable.
• Firewall Rules: Ensure the following ports are open:
  • 22 (SSH)
  • 443 (SSL/TLS)
  • 80 (HTTP)
• SSL/TLS Certificates with Let's Encrypt: To generate the certificates.

1. SSH to the Keycloak server: Connect to the Keycloak server.

2. Install Certbot: Run the following commands to install Certbot, the official Let's Encrypt tool.

   sudo snap install --classic certbot
   sudo ln -s /snap/bin/certbot /usr/bin/certbot

3. Generate the Certificate: Run the following command to generate the SSL/TLS certificates.

   sudo certbot certonly --standalone

   When finished, you will have the fullchain.pem (certificate) and privkey.pem (private key) files.

1. Configure the Docker repository: Update the package index and install the required packages to use repositories over HTTPS..

   sudo apt-get update
   sudo apt-get install ca-certificates curl gnupg

2. Add Docker's official GPG key: Install and configure the GPG key for Docker's repository.

   sudo install -m 0755 -d /etc/apt/keyrings
   curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
   sudo chmod a+r /etc/apt/keyrings/docker.gpg

3. Add Docker's repository: Configure the stable Docker repository.

   echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

4. Install Docker and Docker Compose: Install Docker and Docker Compose.

   sudo apt-get update
   sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

5. Start and configure Docker: Start Docker and configure it as a service.

   sudo systemctl start docker
   sudo useradd <username>
   sudo usermod -aG docker <username>
   sudo systemctl enable docker.service
   sudo systemctl enable containerd.service

6. Verify Docker installation:

   sudo docker version
   sudo docker compose version

1. Move the certificates: Copy the fullchain.pem and privkey.pem files to a location accessible by Docker, for example:

   mkdir -p /home/user/keycloak/certs
   cp /etc/letsencrypt/live/<your-domain>/fullchain.pem /home/user/keycloak/certs/
   cp /etc/letsencrypt/live/<your-domain>/privkey.pem /home/user/keycloak/certs/

2. Set permissions: Ensure Docker can access the certificate files.

   sudo chmod 655 /home/user/keycloak/certs/*

3. File Structure: The file structure should look like this:

   ├── keycloak.yml
   ├── certs
   │   ├── fullchain.pem  
   │   └── privkey.pem

Here is an example docker-compose.yml configuration:

version: '3'
services:
 keycloak:
   image: quay.io/keycloak/keycloak:latest
   container_name: keycloak
   restart: always
   ports:
     - 80:8080
     - 443:8443
   volumes:
     - ./certs/fullchain.pem:/etc/x509/https/tls.crt
     - ./certs/privkey.pem:/etc/x509/https/tls.key
   environment:
     - KEYCLOAK_ADMIN=admin
     - KEYCLOAK_ADMIN_PASSWORD=password
     - KC_HOSTNAME=<your-domain>
     - KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/tls.crt
     - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/tls.key
   command:
     - start-dev

1. Bring up the Keycloak container: Run the following command to start the Keycloak service using Docker Compose.

   sudo docker-compose -f keycloak.yml up

2. Verify the deployment:: Open a browser and navigate to https://. If everything is set up correctly, you should see the Keycloak admin interface.