[keycloak-user] Add CA certificates for LDAPS ?

Meissa M'baye Sakho msakho at redhat.com
Fri Nov 9 04:18:24 EST 2018 

Hi Mathieu,
Regarding your statement below:
- *The X509_CA_BUNDLE env variable thing (It's running in a container), I
can see the certificates in the JKS store *
Could you please tell me how you managed to see the certificates in the JKS
store?
Regards,
Meissa

Le mar. 6 nov. 2018 à 14:50, Meissa M'baye Sakho <msakho at redhat.com> a
écrit :

> My LDAPS configuration did also work fine with keycloak 3.3.5 docker image
> My question was related to the The X509_CA_BUNDLE env variable that comes
> with the keycloak 4.4.x docker image.
> I would like to use it and wanted to know if it work.
> Do I understand that it's working fine for you Mathieu?
> Meissa
>
> Le lun. 5 nov. 2018 à 12:17, Mathieu Poussin <me at mpouss.in> a écrit :
>
>> I confirm this fixed the issue :)
>>
>> So simple that I didn't think about it...
>>
>> Thank you
>>
>>  ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt at acutus.pro>
>> wrote ----
>>  > Mathieu, Meissa,
>>  >
>>  > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml
>> instead of standalone.xml by default. I guess this is why your truststore
>> settings are being ignored.
>>  >
>>  > I've also tested Keycloak + LDAP + self-signed cert + truststore on a
>> non-Docker deployment - it works pretty well, so definitely not a Keycloak
>> bug per se.
>>  >
>>  > Good luck!
>>  > Dmitry Telegin
>>  > CTO, Acutus s.r.o.
>>  > Keycloak Consulting and Training
>>  >
>>  > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>>  > +42 (022) 888-30-71
>>  > E-mail: info at acutus.pro
>>  >
>>  > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
>>  > > Hello Mathieu,
>>  > > did you manage to make it work?
>>  > > If yes, could you tell me how?
>>  > > Meissa
>>  > >
>>  > > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a
>> écrit :
>>  > >
>>  > > > Hello Marek.
>>  > > >
>>  > > > I've done that already but looks like it is completely ignored.
>>  > > > I have my custom truststore that have all my CA certificates (2),
>> but I'm
>>  > > > still seeing the same issue. (SPI is enabled on the LDAPS settings
>> on the
>>  > > > admin)
>>  > > > Is there a way to make sure it has been loaded correctly? (I don't
>> see any
>>  > > > error when the application starts but it's not working as
>> expected)
>>  > > >
>>  > > > Thanks.
>>  > > > Mathieu
>>  > > >
>>  > > >
>>  > > >  ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
>>  > > > mposolda at redhat.com> wrote ----
>>  > > >  > You can configure the Truststore SPI, which is mentioned in our
>> docs
>>  > > >  > here:
>>  > > >  >
>>  > > >
>> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
>>  > > >  >
>>  > > >  > Some additional notes around LDAP are here:
>>  > > >  >
>>  > > >
>> https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl
>>  > > >  >
>>  > > >  > Marek
>>  > > >  >
>>  > > >  >
>>  > > >  > On 01/10/18 13:27, Mathieu Poussin wrote:
>>  > > >  > > Hello.
>>  > > >  > >
>>  > > >  > > What would be the recommended way to add a custom CA
>> certificates ?
>>  > > > The documentation has a lot of different ways and so far none of
>> them
>>  > > > worked :
>>  > > >  > >
>>  > > >  > > - The X509_CA_BUNDLE env variable thing (It's running in a
>>  > > > container), I can see the certificates in the JKS store  but looks
>> like
>>  > > > they are completely ignored by the app server.
>>  > > >  > > - Added custom SPI to load a custom JKS store, same, no error
>> at
>>  > > > server start but they are completely ignored by the app server.
>>  > > >  > >
>>  > > >  > > This is the error I am getting :
>>  > > >  > >
>>  > > >  > > Caused by: sun.security.validator.ValidatorException: PKIX
>> path
>>  > > > building failed:
>>  > > > sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find
>>  > > > valid certification path to requested target
>>  > > >  > >          at
>>  > > >
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>>  > > >  > >          at
>>  > > >
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
>>  > > >  > >          at
>>  > > > sun.security.validator.Validator.validate(Validator.java:262)
>>  > > >  > >          at
>>  > > >
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>>
>>  > > >
>>  > > >  > >          at
>>  > > >
>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>>
>>  > > >
>>  > > >  > >          at
>>  > > >
>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>>
>>  > > >
>>  > > >  > >          at
>>  > > >
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>>
>>  > > >
>>  > > >  > >          ... 99 more
>>  > > >  > > Caused by:
>>  > > > sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find
>>  > > > valid certification path to requested target
>>  > > >  > >          at
>>  > > >
>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>>
>>  > > >
>>  > > >  > >          at
>>  > > >
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>>
>>  > > >
>>  > > >  > >          at
>>  > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>  > > >  > >          at
>>  > > >
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>>  > > >  > >          ... 105 more
>>  > > >  > >
>>  > > >  > >
>>  > > >  > > Another option would be to disable certificate verification
>> on LDAPS
>>  > > > as it's a trusted environment (last resort but well so far nothing
>> else
>>  > > > worked), would there be a way to do that?
>>  > > >  > > Connecting over LDAP is not an option a this prevent some
>> features to
>>  > > > work like password reset.
>>  > > >  > >
>>  > > >  > > Thanks.
>>  > > >  > >
>>  > > >  > >
>>  > > >  > > _______________________________________________
>>  > > >  > > keycloak-user mailing list
>>  > > >  > > keycloak-user at lists.jboss.org
>>  > > >  > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>  > > >  >
>>  > > >  >
>>  > > >  >
>>  > > >
>>  > > >
>>  > > > _______________________________________________
>>  > > > keycloak-user mailing list
>>  > > > keycloak-user at lists.jboss.org
>>  > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>  > > >
>>  > >
>>  > > _______________________________________________
>>  > > keycloak-user mailing list
>>  > > keycloak-user at lists.jboss.org
>>  > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>  >
>>
>>
>>

More information about the keycloak-user mailing list