[keycloak-user] Add CA certificates for LDAPS ?

Meissa M'baye Sakho msakho at redhat.com
Mon Nov 12 04:47:03 EST 2018 

Hi Mathieu, I finally managed to see the certificates in the jks store.
I need to defind the outgoing https request and the truststore password is
required.
Did you find a way to get the truststore password?
Meissa

Le ven. 9 nov. 2018 à 10:18, Meissa M'baye Sakho <msakho at redhat.com> a
écrit :

> Hi Mathieu,
> Regarding your statement below:
> - *The X509_CA_BUNDLE env variable thing (It's running in a container), I
> can see the certificates in the JKS store *
> Could you please tell me how you managed to see the certificates in the
> JKS store?
> Regards,
> Meissa
>
> Le mar. 6 nov. 2018 à 14:50, Meissa M'baye Sakho <msakho at redhat.com> a
> écrit :
>
>> My LDAPS configuration did also work fine with keycloak 3.3.5 docker image
>> My question was related to the The X509_CA_BUNDLE env variable that
>> comes with the keycloak 4.4.x docker image.
>> I would like to use it and wanted to know if it work.
>> Do I understand that it's working fine for you Mathieu?
>> Meissa
>>
>> Le lun. 5 nov. 2018 à 12:17, Mathieu Poussin <me at mpouss.in> a écrit :
>>
>>> I confirm this fixed the issue :)
>>>
>>> So simple that I didn't think about it...
>>>
>>> Thank you
>>>
>>>  ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt at acutus.pro>
>>> wrote ----
>>>  > Mathieu, Meissa,
>>>  >
>>>  > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml
>>> instead of standalone.xml by default. I guess this is why your truststore
>>> settings are being ignored.
>>>  >
>>>  > I've also tested Keycloak + LDAP + self-signed cert + truststore on a
>>> non-Docker deployment - it works pretty well, so definitely not a Keycloak
>>> bug per se.
>>>  >
>>>  > Good luck!
>>>  > Dmitry Telegin
>>>  > CTO, Acutus s.r.o.
>>>  > Keycloak Consulting and Training
>>>  >
>>>  > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>>>  > +42 (022) 888-30-71
>>>  > E-mail: info at acutus.pro
>>>  >
>>>  > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
>>>  > > Hello Mathieu,
>>>  > > did you manage to make it work?
>>>  > > If yes, could you tell me how?
>>>  > > Meissa
>>>  > >
>>>  > > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a
>>> écrit :
>>>  > >
>>>  > > > Hello Marek.
>>>  > > >
>>>  > > > I've done that already but looks like it is completely ignored.
>>>  > > > I have my custom truststore that have all my CA certificates (2),
>>> but I'm
>>>  > > > still seeing the same issue. (SPI is enabled on the LDAPS
>>> settings on the
>>>  > > > admin)
>>>  > > > Is there a way to make sure it has been loaded correctly? (I
>>> don't see any
>>>  > > > error when the application starts but it's not working as
>>> expected)
>>>  > > >
>>>  > > > Thanks.
>>>  > > > Mathieu
>>>  > > >
>>>  > > >
>>>  > > >  ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
>>>  > > > mposolda at redhat.com> wrote ----
>>>  > > >  > You can configure the Truststore SPI, which is mentioned in
>>> our docs
>>>  > > >  > here:
>>>  > > >  >
>>>  > > >
>>> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
>>>  > > >  >
>>>  > > >  > Some additional notes around LDAP are here:
>>>  > > >  >
>>>  > > >
>>> https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl
>>>  > > >  >
>>>  > > >  > Marek
>>>  > > >  >
>>>  > > >  >
>>>  > > >  > On 01/10/18 13:27, Mathieu Poussin wrote:
>>>  > > >  > > Hello.
>>>  > > >  > >
>>>  > > >  > > What would be the recommended way to add a custom CA
>>> certificates ?
>>>  > > > The documentation has a lot of different ways and so far none of
>>> them
>>>  > > > worked :
>>>  > > >  > >
>>>  > > >  > > - The X509_CA_BUNDLE env variable thing (It's running in a
>>>  > > > container), I can see the certificates in the JKS store  but
>>> looks like
>>>  > > > they are completely ignored by the app server.
>>>  > > >  > > - Added custom SPI to load a custom JKS store, same, no
>>> error at
>>>  > > > server start but they are completely ignored by the app server.
>>>  > > >  > >
>>>  > > >  > > This is the error I am getting :
>>>  > > >  > >
>>>  > > >  > > Caused by: sun.security.validator.ValidatorException: PKIX
>>> path
>>>  > > > building failed:
>>>  > > > sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find
>>>  > > > valid certification path to requested target
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
>>>  > > >  > >          at
>>>  > > > sun.security.validator.Validator.validate(Validator.java:262)
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>>>
>>>  > > >
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>>>
>>>  > > >
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>>>
>>>  > > >
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>>>
>>>  > > >
>>>  > > >  > >          ... 99 more
>>>  > > >  > > Caused by:
>>>  > > > sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find
>>>  > > > valid certification path to requested target
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>>>
>>>  > > >
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>>>
>>>  > > >
>>>  > > >  > >          at
>>>  > > >
>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>>  > > >  > >          at
>>>  > > >
>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>>>  > > >  > >          ... 105 more
>>>  > > >  > >
>>>  > > >  > >
>>>  > > >  > > Another option would be to disable certificate verification
>>> on LDAPS
>>>  > > > as it's a trusted environment (last resort but well so far
>>> nothing else
>>>  > > > worked), would there be a way to do that?
>>>  > > >  > > Connecting over LDAP is not an option a this prevent some
>>> features to
>>>  > > > work like password reset.
>>>  > > >  > >
>>>  > > >  > > Thanks.
>>>  > > >  > >
>>>  > > >  > >
>>>  > > >  > > _______________________________________________
>>>  > > >  > > keycloak-user mailing list
>>>  > > >  > > keycloak-user at lists.jboss.org
>>>  > > >  > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>  > > >  >
>>>  > > >  >
>>>  > > >  >
>>>  > > >
>>>  > > >
>>>  > > > _______________________________________________
>>>  > > > keycloak-user mailing list
>>>  > > > keycloak-user at lists.jboss.org
>>>  > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>  > > >
>>>  > >
>>>  > > _______________________________________________
>>>  > > keycloak-user mailing list
>>>  > > keycloak-user at lists.jboss.org
>>>  > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>  >
>>>
>>>
>>>

More information about the keycloak-user mailing list