[keycloak-user] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Guus der Kinderen
guus.der.kinderen at gmail.com
Fri Apr 8 01:31:30 EDT 2016
And, to be clear: the implied solution: you should add the certificate from
Komodo's CA (you can probably download it from Komodo) to that trust store.
- Guus
On 8 April 2016 at 07:28, Guus der Kinderen <guus.der.kinderen at gmail.com>
wrote:
> Hello Juan Diego,
>
> I think you are right. Java probably does not recognize Komodo as a valid
> certificate authority.
>
> Java keeps certificates of CAs in a keystore (a 'trust store' - a store of
> certificates from authorities that are to be trusted). The Komodo
> certificate that is part of your chain is probably not in them).
>
> I'm quite new to Keycloak, and I'm not sure if Keycloak uses the default
> keystores that ship with any version of Java, or uses it's own set. Perhaps
> the Keycloak documentation gives you a hint to that effect.
>
> I hope this helps. Regards,
>
> Guus
>
> On 8 April 2016 at 01:25, Juan Diego <juandiego83 at gmail.com> wrote:
>
>> I installed a keycloak server on amazon and bought a cert from Komodo.
>> And I was testing my app from my localhost, so my webapp in jsf is supposed
>> to log against that server and it seems to work. I modified my web.xml so
>> the loign-config uses keycloak.
>>
>> I thought my localserver ssl was the problem but I disabled
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>
>> But I got the same error.
>>
>> 17:49:20,443 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>> (default task-49) failed to turn code into token:
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
>> at
>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
>> at
>> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
>> at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
>> at
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
>> at
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
>> at
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>> at
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>> at
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>> at
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>> at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>> at
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>> at
>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>> at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>> at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>> at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>> at
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>> at
>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>> at
>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>> at
>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>> at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target
>> at
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
>> ... 56 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> at
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>> ... 62 more
>>
>>
>> For what I understand it is because my java doesnt perceives my Cert as a
>> proper CA signed cert.
>>
>> Thanks,
>>
>> Juan diego
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/924a55f2/attachment.html
More information about the keycloak-user
mailing list