<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 16px; font-family: Calibri, sans-serif; ">
<div>
<div>Stian, at our EAP init opts we have the&nbsp;-Djavax.net.ssl.trustStore= pointing to a .jks file that have a certificate for the hosts of our domain to communicate.</div>
<div>If I don't specify the&nbsp;-Djavax.net.ssl.trustStore= then Facebook login works fine with the one provided by the JDK.</div>
<div><br>
</div>
<div>I tried to find out which are the required CA's for Facebook, so I could add it to my truststore but I couldn't find.</div>
<div>Could you please help me with that?</div>
<div><br>
</div>
<div>I added a valid certificate to our truststore and still get the same error.</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div></div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Stian Thorgersen &lt;<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>&gt;<br>
<span style="font-weight:bold">Reply-To: </span>&quot;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&quot; &lt;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&gt;<br>
<span style="font-weight:bold">Date: </span>quinta-feira, 11 de fevereiro de 2016 12:23<br>
<span style="font-weight:bold">To: </span>Leonardo Nunes &lt;<a href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a>&gt;<br>
<span style="font-weight:bold">Cc: </span>&quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Does it work if you don't specify the truststore? That will use the default truststore provided by the JDK.
<div><br>
</div>
<div>Also, does your truststore contain the required CA certs? For Facebook to work it'll have to contain the required CA's for their certs</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 11 February 2016 at 14:09, LEONARDO NUNES <span dir="ltr">
&lt;<a href="mailto:leo.nunes@gjccorp.com.br" target="_blank">leo.nunes@gjccorp.com.br</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:16px;font-family:Calibri,sans-serif">
<div>Hi, i'm getting the error below when I try to login with Facebook.</div>
<div>I've followed the instructions at&nbsp;<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore</a>&nbsp;and&nbsp;<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337</a></div>
<div><br>
</div>
<div>I was able to login with Facebook when trying at localhost. But at our development server we are getting this error.</div>
<div><br>
</div>
<div>We are using EAP in domain mode.</div>
<div><br>
</div>
<div>The truststore I placed inside of keycloak-server.json</div>
<div>
<div>&quot;truststore&quot;: {</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &quot;file&quot;: {</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &quot;file&quot;: &quot;/home/soa/jboss/ssl/keycloak.jks&quot;,</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &quot;password&quot;: &quot;keycloak123&quot;,</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &quot;hostname-verification-policy&quot;: &quot;ANY&quot;,</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &quot;disabled&quot;: false</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; }</div>
<div>&nbsp; &nbsp; }</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>#######</div>
<div><br>
</div>
<div>ERRO:</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>2016-02-11 10:44:53,927 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
 building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)</div>
<div><span style="white-space:pre-wrap"></span>at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)</div>
<div><span style="white-space:pre-wrap"></span>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]</div>
<div><span style="white-space:pre-wrap"></span>at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)</div>
<div><span style="white-space:pre-wrap"></span>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]</div>
<div><span style="white-space:pre-wrap"></span>at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]</div>
<div>Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) [jsse.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>... 50 more</div>
<div>Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) [rt.jar:1.8.0_45]</div>
<div><span style="white-space:pre-wrap"></span>... 56 more</div>
<span class="HOEnZb"><font color="#888888"></font></span></div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<div>--&nbsp;</div>
<div>Leonardo Nunes</div>
</div>
<div></div>
</div>
<hr style="min-height:1px;color:#c4c4c4">
<div style="font-family:Arial;color:#848484;font-size:11px"><i>Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou divulgar as informações
 nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.
<br>
<br>
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have
 received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation<i></i></i></div>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>