[keycloak-user] Unable to verify Google certificate during reCaptcha verification

[G. Allegri]

Hi,

I've configured Recaptcha for the registration form. It appears and works
fine from the browser side, but Keycloak cannot access the verification URL
[1] because the SSL Java chain cannot verify the certificate.
I've followed the guide in the docs [2] to configure the TrustStore (in
standalone mode), after having created the truststore and importing the
google cert. I've verified that keytool list the Google certificate
correctly, and I've double checked file paths and password, but I keep
receiving the following exception:

2018-06-05 13:06:35,921 ERROR [org.keycloak.services] (default task-9)
KC-SERVICES0028: Recaptcha failed: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
        at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
        at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        (...)

I've also tried to set Djavax.net.ssl.trustStore=<path to my truststore>
when I launch the standalone.sh, but it neither works.

Do I miss something or am I doing something wrong?

Thanks,
Giovanni

[1]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java#L140
[2]
https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore