[keycloak-user] Add CA certificates for LDAPS ?

Mathieu Poussin me at mpouss.in
Mon Nov 5 06:17:18 EST 2018


I confirm this fixed the issue :)

So simple that I didn't think about it...

Thank you

 ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt at acutus.pro> wrote ---- 
 > Mathieu, Meissa, 
 >  
 > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml instead of standalone.xml by default. I guess this is why your truststore settings are being ignored. 
 >  
 > I've also tested Keycloak + LDAP + self-signed cert + truststore on a non-Docker deployment - it works pretty well, so definitely not a Keycloak bug per se. 
 >  
 > Good luck! 
 > Dmitry Telegin 
 > CTO, Acutus s.r.o. 
 > Keycloak Consulting and Training 
 >  
 > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic 
 > +42 (022) 888-30-71 
 > E-mail: info at acutus.pro 
 >  
 > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote: 
 > > Hello Mathieu, 
 > > did you manage to make it work? 
 > > If yes, could you tell me how? 
 > > Meissa 
 > >  
 > > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a écrit : 
 > >  
 > > > Hello Marek. 
 > > >  
 > > > I've done that already but looks like it is completely ignored. 
 > > > I have my custom truststore that have all my CA certificates (2), but I'm 
 > > > still seeing the same issue. (SPI is enabled on the LDAPS settings on the 
 > > > admin) 
 > > > Is there a way to make sure it has been loaded correctly? (I don't see any 
 > > > error when the application starts but it's not working as expected) 
 > > >  
 > > > Thanks. 
 > > > Mathieu 
 > > >  
 > > >  
 > > >  ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < 
 > > > mposolda at redhat.com> wrote ---- 
 > > >  > You can configure the Truststore SPI, which is mentioned in our docs 
 > > >  > here: 
 > > >  > 
 > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore 
 > > >  > 
 > > >  > Some additional notes around LDAP are here: 
 > > >  > 
 > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl 
 > > >  > 
 > > >  > Marek 
 > > >  > 
 > > >  > 
 > > >  > On 01/10/18 13:27, Mathieu Poussin wrote: 
 > > >  > > Hello. 
 > > >  > > 
 > > >  > > What would be the recommended way to add a custom CA certificates ? 
 > > > The documentation has a lot of different ways and so far none of them 
 > > > worked : 
 > > >  > > 
 > > >  > > - The X509_CA_BUNDLE env variable thing (It's running in a 
 > > > container), I can see the certificates in the JKS store  but looks like 
 > > > they are completely ignored by the app server. 
 > > >  > > - Added custom SPI to load a custom JKS store, same, no error at 
 > > > server start but they are completely ignored by the app server. 
 > > >  > > 
 > > >  > > This is the error I am getting : 
 > > >  > > 
 > > >  > > Caused by: sun.security.validator.ValidatorException: PKIX path 
 > > > building failed: 
 > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
 > > > valid certification path to requested target 
 > > >  > >          at 
 > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) 
 > > >  > >          at 
 > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) 
 > > >  > >          at 
 > > > sun.security.validator.Validator.validate(Validator.java:262) 
 > > >  > >          at 
 > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) 
 > > >  
 > > >  > >          at 
 > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) 
 > > >  
 > > >  > >          at 
 > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) 
 > > >  
 > > >  > >          at 
 > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) 
 > > >  
 > > >  > >          ... 99 more 
 > > >  > > Caused by: 
 > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
 > > > valid certification path to requested target 
 > > >  > >          at 
 > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) 
 > > >  
 > > >  > >          at 
 > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) 
 > > >  
 > > >  > >          at 
 > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) 
 > > >  > >          at 
 > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) 
 > > >  > >          ... 105 more 
 > > >  > > 
 > > >  > > 
 > > >  > > Another option would be to disable certificate verification on LDAPS 
 > > > as it's a trusted environment (last resort but well so far nothing else 
 > > > worked), would there be a way to do that? 
 > > >  > > Connecting over LDAP is not an option a this prevent some features to 
 > > > work like password reset. 
 > > >  > > 
 > > >  > > Thanks. 
 > > >  > > 
 > > >  > > 
 > > >  > > _______________________________________________ 
 > > >  > > keycloak-user mailing list 
 > > >  > > keycloak-user at lists.jboss.org 
 > > >  > > https://lists.jboss.org/mailman/listinfo/keycloak-user 
 > > >  > 
 > > >  > 
 > > >  > 
 > > >  
 > > >  
 > > > _______________________________________________ 
 > > > keycloak-user mailing list 
 > > > keycloak-user at lists.jboss.org 
 > > > https://lists.jboss.org/mailman/listinfo/keycloak-user 
 > > >  
 > >  
 > > _______________________________________________ 
 > > keycloak-user mailing list 
 > > keycloak-user at lists.jboss.org 
 > > https://lists.jboss.org/mailman/listinfo/keycloak-user 
 > 





More information about the keycloak-user mailing list