[keycloak-user] How to configure an enterprise TLS secured mail server
Stian Thorgersen
sthorger at redhat.com
Mon Nov 14 03:19:00 EST 2016
Adding to the JVM trust store should work and you can also configure a
separate trust store for Keycloak (check the installation guide).
On 14 Nov 2016 08:34, "Aritz Maeztu" <amaeztu at tesicnor.com> wrote:
> Hello everybody,
>
> I'm trying to configure keycloak to send its e-mails using our company's
> e-mail server. I have no problem doing it using a simple configuration
> (just username and password, no encryption). However, our mail server
> accepts TLS and we do use a custom certificate for it, but I don't know
> how to make the keycloak server trust it (I know I have to add it to the
> JVM trusted certificates, but how to do it in wildfly?). Every tuto I
> read is for configuring wildfly itself to use the certificate and enable
> SSL, but in this case wildfly would be the client. That's the error I
> get while trying to send the e-mail (SSL handshake):
>
> 18:02:59,903 ERROR [org.keycloak.services] (default task-4)
> KC-SERVICES0088: Fai
> led to send execute actions email: org.keycloak.email.EmailException:
> Failed to
> template email
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:179)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:150)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExe
> cuteActions(FreeMarkerEmailTemplateProvider.java:133)
> at
> org.keycloak.services.resources.admin.UsersResource.executeActionsEma
> il(UsersResource.java:855)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
> java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
> MethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
> voker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
> esourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
> Invoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
> esourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
> Invoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
> esourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
> Invoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
> tcher.java:395)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
> tcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
> ce(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
> ce(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHand
> ler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
> ilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(K
> eycloakSessionServletFilter.java:90)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60
> )
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
> ilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandle
> r.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.hand
> leRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHan
> dler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandle
> r.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandle
> r.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRe
> quest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstrain
> tHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleR
> equest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandl
> er.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleReque
> st(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandl
> er.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.han
> dleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest
> (ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Se
> rvletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servlet
> InitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Se
> rvletInitialHandler.java:174)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:7
> 93)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.keycloak.email.EmailException:
> javax.mail.MessagingException: Cou
> ld not convert socket to TLS;
> nested exception is:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorExc
> eption: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBui
> lderException: unable to find valid certification path to requested target
> at
> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
> Provider.java:127)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:185)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:177)
> ... 54 more
> Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
> nested exception is:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorExc
> eption: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBui
> lderException: unable to find valid certification path to requested target
> at
> com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2046)
> at
> com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:71
> 1)
> at javax.mail.Service.connect(Service.java:366)
> at javax.mail.Service.connect(Service.java:246)
> at javax.mail.Service.connect(Service.java:267)
> at
> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
> Provider.java:120)
> ... 56 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.Validator
> Exception: PKIX path building failed:
> sun.security.provider.certpath.SunCertPath
> BuilderException: unable to find valid certification path to requested
> target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> java:1509)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
> a:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:914)
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
> java:1375)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403
> )
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387
> )
> at
> com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java
> :598)
> at com.sun.mail.util.SocketFetcher.startTLS(
> SocketFetcher.java:525)
> at
> com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2041)
> ... 61 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find vali
> d certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
> a:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
> ava:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
> pl.java:229)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
> agerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> java:1491)
> ... 71 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to
> find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
> ilder.java:141)
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
> PathBuilder.java:126)
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> ... 77 more
>
>
> Any idea about this? Thanks!
>
>
> --
> Aritz Maeztu Otaño
> Departamento Desarrollo de Software
> <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf. Aritz Maeztu: 948 68 03 06
> Telf. Secretaría: 948 21 40 40
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list