[keycloak-user] Add CA certificates for LDAPS ?
Meissa M'baye Sakho
msakho at redhat.com
Mon Nov 12 04:47:03 EST 2018
Hi Mathieu, I finally managed to see the certificates in the jks store.
I need to defind the outgoing https request and the truststore password is
required.
Did you find a way to get the truststore password?
Meissa
Le ven. 9 nov. 2018 à 10:18, Meissa M'baye Sakho <msakho at redhat.com> a
écrit :
> Hi Mathieu,
> Regarding your statement below:
> - *The X509_CA_BUNDLE env variable thing (It's running in a container), I
> can see the certificates in the JKS store *
> Could you please tell me how you managed to see the certificates in the
> JKS store?
> Regards,
> Meissa
>
> Le mar. 6 nov. 2018 à 14:50, Meissa M'baye Sakho <msakho at redhat.com> a
> écrit :
>
>> My LDAPS configuration did also work fine with keycloak 3.3.5 docker image
>> My question was related to the The X509_CA_BUNDLE env variable that
>> comes with the keycloak 4.4.x docker image.
>> I would like to use it and wanted to know if it work.
>> Do I understand that it's working fine for you Mathieu?
>> Meissa
>>
>> Le lun. 5 nov. 2018 à 12:17, Mathieu Poussin <me at mpouss.in> a écrit :
>>
>>> I confirm this fixed the issue :)
>>>
>>> So simple that I didn't think about it...
>>>
>>> Thank you
>>>
>>> ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt at acutus.pro>
>>> wrote ----
>>> > Mathieu, Meissa,
>>> >
>>> > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml
>>> instead of standalone.xml by default. I guess this is why your truststore
>>> settings are being ignored.
>>> >
>>> > I've also tested Keycloak + LDAP + self-signed cert + truststore on a
>>> non-Docker deployment - it works pretty well, so definitely not a Keycloak
>>> bug per se.
>>> >
>>> > Good luck!
>>> > Dmitry Telegin
>>> > CTO, Acutus s.r.o.
>>> > Keycloak Consulting and Training
>>> >
>>> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>>> > +42 (022) 888-30-71
>>> > E-mail: info at acutus.pro
>>> >
>>> > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
>>> > > Hello Mathieu,
>>> > > did you manage to make it work?
>>> > > If yes, could you tell me how?
>>> > > Meissa
>>> > >
>>> > > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a
>>> écrit :
>>> > >
>>> > > > Hello Marek.
>>> > > >
>>> > > > I've done that already but looks like it is completely ignored.
>>> > > > I have my custom truststore that have all my CA certificates (2),
>>> but I'm
>>> > > > still seeing the same issue. (SPI is enabled on the LDAPS
>>> settings on the
>>> > > > admin)
>>> > > > Is there a way to make sure it has been loaded correctly? (I
>>> don't see any
>>> > > > error when the application starts but it's not working as
>>> expected)
>>> > > >
>>> > > > Thanks.
>>> > > > Mathieu
>>> > > >
>>> > > >
>>> > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
>>> > > > mposolda at redhat.com> wrote ----
>>> > > > > You can configure the Truststore SPI, which is mentioned in
>>> our docs
>>> > > > > here:
>>> > > > >
>>> > > >
>>> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
>>> > > > >
>>> > > > > Some additional notes around LDAP are here:
>>> > > > >
>>> > > >
>>> https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl
>>> > > > >
>>> > > > > Marek
>>> > > > >
>>> > > > >
>>> > > > > On 01/10/18 13:27, Mathieu Poussin wrote:
>>> > > > > > Hello.
>>> > > > > >
>>> > > > > > What would be the recommended way to add a custom CA
>>> certificates ?
>>> > > > The documentation has a lot of different ways and so far none of
>>> them
>>> > > > worked :
>>> > > > > >
>>> > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a
>>> > > > container), I can see the certificates in the JKS store but
>>> looks like
>>> > > > they are completely ignored by the app server.
>>> > > > > > - Added custom SPI to load a custom JKS store, same, no
>>> error at
>>> > > > server start but they are completely ignored by the app server.
>>> > > > > >
>>> > > > > > This is the error I am getting :
>>> > > > > >
>>> > > > > > Caused by: sun.security.validator.ValidatorException: PKIX
>>> path
>>> > > > building failed:
>>> > > > sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find
>>> > > > valid certification path to requested target
>>> > > > > > at
>>> > > >
>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>>> > > > > > at
>>> > > >
>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
>>> > > > > > at
>>> > > > sun.security.validator.Validator.validate(Validator.java:262)
>>> > > > > > at
>>> > > >
>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>>>
>>> > > >
>>> > > > > > at
>>> > > >
>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>>>
>>> > > >
>>> > > > > > at
>>> > > >
>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>>>
>>> > > >
>>> > > > > > at
>>> > > >
>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>>>
>>> > > >
>>> > > > > > ... 99 more
>>> > > > > > Caused by:
>>> > > > sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find
>>> > > > valid certification path to requested target
>>> > > > > > at
>>> > > >
>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>>>
>>> > > >
>>> > > > > > at
>>> > > >
>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>>>
>>> > > >
>>> > > > > > at
>>> > > >
>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>> > > > > > at
>>> > > >
>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>>> > > > > > ... 105 more
>>> > > > > >
>>> > > > > >
>>> > > > > > Another option would be to disable certificate verification
>>> on LDAPS
>>> > > > as it's a trusted environment (last resort but well so far
>>> nothing else
>>> > > > worked), would there be a way to do that?
>>> > > > > > Connecting over LDAP is not an option a this prevent some
>>> features to
>>> > > > work like password reset.
>>> > > > > >
>>> > > > > > Thanks.
>>> > > > > >
>>> > > > > >
>>> > > > > > _______________________________________________
>>> > > > > > keycloak-user mailing list
>>> > > > > > keycloak-user at lists.jboss.org
>>> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > >
>>> > > >
>>> > > > _______________________________________________
>>> > > > keycloak-user mailing list
>>> > > > keycloak-user at lists.jboss.org
>>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > > >
>>> > >
>>> > > _______________________________________________
>>> > > keycloak-user mailing list
>>> > > keycloak-user at lists.jboss.org
>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>>
>>>
More information about the keycloak-user
mailing list