[keycloak-user] Add CA certificates for LDAPS ?

Dmitry Telegin dt at acutus.pro
Wed Oct 31 16:33:46 EDT 2018 

Mathieu, Meissa,

Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml instead of standalone.xml by default. I guess this is why your truststore settings are being ignored.

I've also tested Keycloak + LDAP + self-signed cert + truststore on a non-Docker deployment - it works pretty well, so definitely not a Keycloak bug per se.

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
> Hello Mathieu,
> did you manage to make it work?
> If yes, could you tell me how?
> Meissa
> 
> > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a écrit :
> 
> > Hello Marek.
> > 
> > I've done that already but looks like it is completely ignored.
> > I have my custom truststore that have all my CA certificates (2), but I'm
> > still seeing the same issue. (SPI is enabled on the LDAPS settings on the
> > admin)
> > Is there a way to make sure it has been loaded correctly? (I don't see any
> > error when the application starts but it's not working as expected)
> > 
> > Thanks.
> > Mathieu
> > 
> > 
> >  ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
> > mposolda at redhat.com> wrote ----
> >  > You can configure the Truststore SPI, which is mentioned in our docs
> >  > here:
> >  >
> > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
> >  >
> >  > Some additional notes around LDAP are here:
> >  >
> > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl
> >  >
> >  > Marek
> >  >
> >  >
> >  > On 01/10/18 13:27, Mathieu Poussin wrote:
> >  > > Hello.
> >  > >
> >  > > What would be the recommended way to add a custom CA certificates ?
> > The documentation has a lot of different ways and so far none of them
> > worked :
> >  > >
> >  > > - The X509_CA_BUNDLE env variable thing (It's running in a
> > container), I can see the certificates in the JKS store  but looks like
> > they are completely ignored by the app server.
> >  > > - Added custom SPI to load a custom JKS store, same, no error at
> > server start but they are completely ignored by the app server.
> >  > >
> >  > > This is the error I am getting :
> >  > >
> >  > > Caused by: sun.security.validator.ValidatorException: PKIX path
> > building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> > valid certification path to requested target
> >  > >          at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> >  > >          at
> > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> >  > >          at
> > sun.security.validator.Validator.validate(Validator.java:262)
> >  > >          at
> > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > 
> >  > >          at
> > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > 
> >  > >          at
> > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > 
> >  > >          at
> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > 
> >  > >          ... 99 more
> >  > > Caused by:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> > valid certification path to requested target
> >  > >          at
> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > 
> >  > >          at
> > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > 
> >  > >          at
> > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> >  > >          at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> >  > >          ... 105 more
> >  > >
> >  > >
> >  > > Another option would be to disable certificate verification on LDAPS
> > as it's a trusted environment (last resort but well so far nothing else
> > worked), would there be a way to do that?
> >  > > Connecting over LDAP is not an option a this prevent some features to
> > work like password reset.
> >  > >
> >  > > Thanks.
> >  > >
> >  > >
> >  > > _______________________________________________
> >  > > keycloak-user mailing list
> >  > > keycloak-user at lists.jboss.org
> >  > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >  >
> >  >
> >  >
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list