[Hawkular-dev] https and accounts/keycloak

Juraci Paixão Kröhling jpkroehling at redhat.com
Mon Oct 12 04:48:55 EDT 2015 

I have an instance with TLS at https://hawkular.kroehling.de working, 
but I can't promise to keep it running 24x7 :) It's a bit old already 
(MS4, IIRC) , but the setup should not be too different between MS4 and MS5.

When setting it up, there were a few issues (like, using http by default 
in some components without the possibility of overriding it), but the UI 
worked fine once those were fixed and merged. Granted, I haven't tested 
*everything*, so, I can't say that it all worked :)

Anyway, about the error you are seeing: it seems like the certificate is 
missing from "some" keystore. Have you added the cert to the 
keycloak.jks keystore? There are a few Keycloak-specific steps that are 
required, documented here:

http://keycloak.github.io/docs/userguide/html_single/index.html#d4e336


- Juca.

On 10/10/2015 12:08 AM, John Mazzitelli wrote:
> I'm trying to figure out what does or does not work over HTTPS. So I configured kettle with my own self-signed keystore using these instructions:
>
> http://blog.eisele.net/2015/01/ssl-with-wildfly-8-and-undertow.html
>
> I can see the UI at https://localhost:8443 - I first had to tell Firefox to accept the certificate (so I know its really going over SSL). And the fact I can see the login screen tells me the SSL setup is OK and I'm able to access the UI over https. However, when I try to log in, I get an exception - and its a similar exception I get when the agent tries to call into kettle.
>
> Has anyone tried accessing kettle over https and have you seen any keycloak issues when doing so? (nudge, nudge, juca :-)
>
> Here's the exception I get when I try to log into the UI - I'm curious if there are other configuration settings we need to get HTTPS to work:
>
> 384109 [default task-21] ERROR io.undertow.request  - UT005023: Exception handling request to /hawkular/accounts/personas/current
> java.lang.RuntimeException: Unable to resolve realm public key remotely
> 	at org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:134)
> 	at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:83)
> 	at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:71)
> 	at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:47)
> 	at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
> 	at io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
> 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
> 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
> 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> 	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
> 	at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
> 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> 	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> 	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
> 	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
> 	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
> 	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
> 	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
> 	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
> 	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
> 	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
> 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
> 	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
> 	at org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:105)
> 	... 16 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> 	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> 	at sun.security.validator.Validator.validate(Validator.java:260)
> 	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> 	... 35 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> 	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>

More information about the hawkular-dev mailing list