[keycloak-user] How to configure an enterprise TLS secured mail server

Aritz Maeztu amaeztu at tesicnor.com
Mon Nov 14 02:32:17 EST 2016 

Hello everybody,

I'm trying to configure keycloak to send its e-mails using our company's 
e-mail server. I have no problem doing it using a simple configuration 
(just username and password, no encryption). However, our mail server 
accepts TLS and we do use a custom certificate for it, but I don't know 
how to make the keycloak server trust it (I know I have to add it to the 
JVM trusted certificates, but how to do it in wildfly?). Every tuto I 
read is for configuring wildfly itself to use the certificate and enable 
SSL, but in this case wildfly would be the client. That's the error I 
get while trying to send the e-mail (SSL handshake):

18:02:59,903 ERROR [org.keycloak.services] (default task-4) 
KC-SERVICES0088: Fai
led to send execute actions email: org.keycloak.email.EmailException: 
Failed to
template email
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:179)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:150)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExe
cuteActions(FreeMarkerEmailTemplateProvider.java:133)
         at 
org.keycloak.services.resources.admin.UsersResource.executeActionsEma
il(UsersResource.java:855)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)
         at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:498)
         at 
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
java:139)
         at 
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
MethodInvoker.java:295)
         at 
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
voker.java:249)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:138)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:101)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:395)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:202)
         at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:221)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:56)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:51)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
         at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHand
ler.java:85)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:129)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(K
eycloakSessionServletFilter.java:90)
         at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60
)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:131)
         at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandle
r.java:84)
         at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.hand
leRequest(ServletSecurityRoleHandler.java:62)
         at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
         at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHan
dler.handleRequest(SecurityContextAssociationHandler.java:78)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandle
r.handleRequest(SSLInformationAssociationHandler.java:131)
         at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandle
r.handleRequest(ServletAuthenticationCallHandler.java:57)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRe
quest(AbstractConfidentialityHandler.java:46)
         at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstrain
tHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
         at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleR
equest(AuthenticationMechanismsHandler.java:60)
         at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandl
er.handleRequest(CachedAuthenticatedSessionHandler.java:77)
         at 
io.undertow.security.handlers.NotificationReceiverHandler.handleReque
st(NotificationReceiverHandler.java:50)
         at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandl
er.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.han
dleRequest(JACCContextIdHandler.java:61)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest
(ServletInitialHandler.java:284)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Se
rvletInitialHandler.java:263)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servlet
InitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Se
rvletInitialHandler.java:174)
         at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
         at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:7
93)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1142)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:617)
         at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.email.EmailException: 
javax.mail.MessagingException: Cou
ld not convert socket to TLS;
   nested exception is:
         javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorExc
eption: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
         at 
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:127)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:185)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:177)
         ... 54 more
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
   nested exception is:
         javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorExc
eption: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
         at 
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2046)
         at 
com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:71
1)
         at javax.mail.Service.connect(Service.java:366)
         at javax.mail.Service.connect(Service.java:246)
         at javax.mail.Service.connect(Service.java:267)
         at 
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:120)
         ... 56 more
Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.Validator
Exception: PKIX path building failed: 
sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested 
target
         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
         at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1509)
         at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
         at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
         at 
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
         at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1375)
         at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403
)
         at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387
)
         at 
com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java
:598)
         at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:525)
         at 
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2041)
         ... 61 more
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed:
  sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find vali
d certification path to requested target
         at 
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
         at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
         at sun.security.validator.Validator.validate(Validator.java:260)
         at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
         at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
         at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
         at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1491)
         ... 71 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to
  find valid certification path to requested target
         at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
ilder.java:141)
         at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:126)
         at 
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
         at 
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
         ... 77 more


Any idea about this? Thanks!


-- 
Aritz Maeztu Otaño
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

More information about the keycloak-user mailing list