<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Facebook certificate should be signed
by trusted authority, so it works with default JDK truststore. At
least for me it always works.<br>
<br>
Shouldn't truststore SPI use both provided file + default JDK
truststore by default? We may have flag to disable default JDK
truststore, but not sure if it's ever needed. Also shouldn't we
rewrite SimpleHTTP to use Apache HTTP client provided by
HttpClientProvider SPI?<br>
<br>
Marek<br>
<br>
On 11/02/16 15:23, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfV0HFHT=_rBYe0XQHNeBwKTTrm10gUU=xd24=pAq2KvQ@mail.gmail.com"
type="cite">
<div dir="ltr">Does it work if you don't specify the truststore?
That will use the default truststore provided by the JDK.
<div><br>
</div>
<div>Also, does your truststore contain the required CA certs?
For Facebook to work it'll have to contain the required CA's
for their certs</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 11 February 2016 at 14:09, LEONARDO
NUNES <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:leo.nunes@gjccorp.com.br" target="_blank">leo.nunes@gjccorp.com.br</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
style="word-wrap:break-word;color:rgb(0,0,0);font-size:16px;font-family:Calibri,sans-serif">
<div>Hi, i'm getting the error below when I try to login
with Facebook.</div>
<div>I've followed the instructions at <a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore"
target="_blank"><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore</a></a> and <a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337"
target="_blank"><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337</a></a></div>
<div><br>
</div>
<div>I was able to login with Facebook when trying at
localhost. But at our development server we are getting
this error.</div>
<div><br>
</div>
<div>We are using EAP in domain mode.</div>
<div><br>
</div>
<div>The truststore I placed inside of
keycloak-server.json</div>
<div>
<div>"truststore": {</div>
<div> "file": {</div>
<div> "file":
"/home/soa/jboss/ssl/keycloak.jks",</div>
<div> "password": "keycloak123",</div>
<div> "hostname-verification-policy": "ANY",</div>
<div> "disabled": false</div>
<div> }</div>
<div> }</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>#######</div>
<div><br>
</div>
<div>ERRO:</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>2016-02-11 10:44:53,927 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(ajp-/192.168.162.73:8008-1) Failed to make identity
provider oauth callback:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested
target</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)</div>
<div><span style="white-space:pre-wrap"></span>at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)</div>
<div><span style="white-space:pre-wrap"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
java.lang.reflect.Method.invoke(Method.java:497)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at
javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
[keycloak-services-1.8.1.Final.jar:1.8.1.Final]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)</div>
<div><span style="white-space:pre-wrap"></span>at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at
java.lang.Thread.run(Thread.java:745)
[rt.jar:1.8.0_45]</div>
<div>Caused by:
sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested
target</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.validator.Validator.validate(Validator.java:260)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
[jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>... 50
more</div>
<div>Caused by:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested
target</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
[rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>... 56
more</div>
<span class="HOEnZb"><font color="#888888">
</font></span></div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<div>-- </div>
<div>Leonardo Nunes</div>
</div>
</div>
<hr style="min-height:1px;color:#c4c4c4">
<div
style="font-family:Arial;color:#848484;font-size:11px"><i>Esta
mensagem pode conter informação confidencial e/ou
privilegiada. Se você não for o destinatário ou a
pessoa autorizada a receber esta mensagem, não
poderá usar, copiar ou divulgar as informações
nela contidas ou tomar qualquer ação baseada
nessas informações. Se você recebeu esta mensagem
por engano, por favor avise imediatamente o
remetente, respondendo o e-mail e em seguida
apague-o. Agradecemos sua cooperação.
<br>
<br>
This message may contain confidential and/or
privileged information. If you are not the
addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or
take any action based on this message or any
information herein. If you have received this
message in error, please advise the sender
immediately by reply e-mail and delete this
message. Thank you for your cooperation</i></div>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>