ejbca ce helm chart - quickstart setup issue

[kuliktomas]

I am trying to setup ejbca-ce using the helm chart to run on kubernetes utilizing TLS passthrough on the ingress controller. However it seems the server does not serve the generated quickstart certificate.

here are the important bits from my helm chart

env:
TLS_SETUP_ENABLED: "true"
services:

recommended

proxyHttp:
enabled: false
type: ClusterIP
bindIP: 0.0.0.0
httpPort: 8081
httpsPort: 8082
proxyAJP:
enabled: false
type: ClusterIP
bindIP: 0.0.0.0
port: 8009

not recommended, should only be used for debugging purpose

directHttp:
enabled: true
type: ClusterIP
httpPort: 8080
httpsPort: 8443

Extra sidecar ports to be

note that the management ca and the quickstart certificate are generated, I have checked the jks that gets created in /mnt/persistent... and there is the new management CA and a quickstart cert and its private key. The log shows the inital enrollment code to get the superadmin certificate as I would expect

2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) **********************************************************************************************************
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * A fresh installation was detected and a ManagementCA was created for your initial *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * administration of the system. *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * Initial SuperAdmin client certificate enrollment URL (adapt port to your mapping): *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * URL: https://ejbca-ce-66546958c-x5dvx:443/ejbca/ra/enrollwithusername.xhtml?username=superadmin *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * Password: VJkY/vMo5YLTZHXqSGU8LbWh *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * Once the P12 is downloaded, use "VJkY/vMo5YLTZHXqSGU8LbWh" to import it. *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) * *
2025-11-18 11:51:48,505+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1)

---

Then I establish port forwarding to connect directly

kubectl port-forward pod/ejbca-ce-66546958c-x5dvx 8888:8443 -n ejbca-ce

but utilizing firefox get

So I use openssl s_client to check the issue and get

openssl s_client -connect 127.0.0.1:8888 -showcerts

CONNECTED(00000003)
4027AA45AD7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:316:

no peer certificate available

No client certificate CA names sent
Server Temp Key: X25519, 253 bits

SSL handshake has read 127 bytes and written 304 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

which suggests the server is not providing any certificate. Interestingly if I mount an external keystore via /mnt/external/secrets/tls/ks I can connect to the application without any issue and the server is serving the certificate provided in the external keystore. Any help is greatly appreciated.

[kuliktomas]

ugh, here are the values helm without comments as markdown really butchered it :)

services:

proxyHttp:
enabled: false
type: ClusterIP
bindIP: 0.0.0.0
httpPort: 8081
httpsPort: 8082
proxyAJP:
enabled: false
type: ClusterIP
bindIP: 0.0.0.0
port: 8009

directHttp:
enabled: true
type: ClusterIP
httpPort: 8080
httpsPort: 8443

Also s_client output without block separators

openssl s_client -connect 127.0.0.1:8888 -showcerts

CONNECTED(00000003)
4027AA45AD7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:316:

no peer certificate available

No client certificate CA names sent
Server Temp Key: X25519, 253 bits

SSL handshake has read 127 bytes and written 304 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

[kuliktomas]

The issue was I kept APPSERVER_KEYSTORE_SECRET variable set to password to my externally mounted keystory even when not providing it. It seems that setting importAppserverKeystore: false would still use the password given in the APPSERVER_KEYSTORE_SECRET for the autogenerated keystore, which of course does not match.