Troubleshooting
1. Certificate Trust Issues
1.1. Firefox HSTS Cached Bad Certificate
Firefox continues to show certificate error even after replacing the certificate.
Firefox caches HSTS (HTTP Strict Transport Security) settings, including certificate expectations.
-
Close all Firefox windows
-
Clear Firefox cache and site data for the domain
-
Or use a private/incognito window for testing
1.2. CA Not Trusted in Firefox
Firefox shows "SEC_ERROR_UNKNOWN_ISSUER" even though CA is in system trust store.
Firefox uses its own certificate store, separate from the system store.
Import the CA certificate into Firefox:
-
Settings → Privacy & Security → View Certificates
-
Authorities tab → Import
-
Select DOMUS-ROOT-CA.pem
-
Check "Trust this CA to identify websites"
1.3. Browser Shows "Domain Name Does Not Match"
Browser displays certificate warning even though signed by trusted CA.
Certificate is missing Subject Alternative Name (SAN).
Regenerate certificate with SAN via Vault PKI:
vault write pki_int/issue/domus-server \
common_name="hostname.inside.domusdigitalis.dev" \
alt_names="hostname" \
ttl="8760h"2. SAML Authentication Errors
2.1. "Invalid Request" from Keycloak
After clicking Log In with Keycloak, browser shows "Invalid Request".
The Entity ID (Client ID) in Keycloak doesn’t match what ISE sends.
ISE uses format: CiscoISE/<uuid>;
NOT: ise-01.inside.domusdigitalis.dev
-
Export ISE SP metadata
-
Find the
entityIDattribute -
Update Keycloak client ID to match exactly
2.2. "Invalid redirect uri" from Keycloak
After Keycloak authentication, browser shows "Invalid redirect uri".
ISE sends Assertion Consumer Service URL with port 8443, but Keycloak’s Valid Redirect URIs don’t include the port.
In Keycloak, update Valid redirect URIs to:
https://ise-01.inside.domusdigitalis.dev:8443/*2.3. "Access Denied" After Successful Authentication
User logs in to Keycloak successfully, but ISE shows "Access denied".
ssh admin@ise-01
show logging application ise-psc.log tail | include SAMLShows: SAML authentication failed: ISE group not configured for IDP group(s): [group-name]
-
Check exact group name in log
-
In ISE: Administration → Identity Management → External Identity Sources → SAML Id Providers → Groups
-
Add mapping with exact group name
3. Keycloak Container Issues
3.1. H2 Database AccessDeniedException
ERROR: Failed to obtain JDBC connection
Caused by: java.nio.file.AccessDeniedException: /opt/keycloak/data/h2Using docker run … import with volume mounts when PostgreSQL is configured.
Use REST API import method instead. See Realm Management.
3.2. Container Won’t Start After Reboot
Container exits immediately after docker start keycloak.
SELinux context issues on Fedora/RHEL.
ssh keycloak-01 'sudo chcon -Rt svirt_sandbox_file_t /opt/keycloak'
ssh keycloak-01 'sudo docker start keycloak'3.3. Certificate Permission Denied
java.io.FileNotFoundException: /opt/keycloak/conf/key.pem (Permission denied)Incorrect ownership. Keycloak container runs as UID 1000.
ssh keycloak-01 'cd /opt/keycloak/conf && \
sudo chown 1000:1000 cert.pem key.pem && \
sudo chmod 444 cert.pem && \
sudo chmod 400 key.pem && \
sudo chcon -t svirt_sandbox_file_t cert.pem key.pem'4. Metadata Issues
4.1. ISE Cannot Fetch Keycloak Metadata
ISE shows error when importing IdP metadata URL.
-
ISE cannot reach Keycloak (firewall)
-
ISE doesn’t trust Keycloak’s certificate
-
Keycloak realm doesn’t exist
-
Test connectivity from ISE CLI:
ssh admin@ise-01 # Cannot curl from ISE CLI directly -
Import CA to ISE trust store: Administration → System → Certificates → Trusted Certificates
-
Use file import instead of URL import
4.2. SAML Assertion Signature Invalid
ISE logs show "Invalid signature" or "Signature verification failed".
-
Keycloak signing certificate changed
-
Metadata not updated after certificate change
-
Clock skew between ISE and Keycloak
-
Re-import Keycloak metadata in ISE
-
Check NTP synchronization on both systems
-
Verify assertion lifespan (default 300 seconds)