<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On 12 February 2016 at 10:04, Marko Strukelj <span dir="ltr">&lt;<a href="mailto:mstrukel@redhat.com" target="_blank">mstrukel@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">When using &#39;truststore&#39; provider it is up to you to make sure to<br>
include all the certificates you trust. Configuration via<br>
-Djavax.net.ssl.trustStore works the same - no automatic inclusion of<br>
cacerts. But it sounds like a good usability feature to add a flag<br>
that would automatically include cacerts as well. The problem is - it<br>
happens occasionally that some CAs turn out not to be trustworthy, and<br>
blindly importing all cacerts exposes you to that risk.<br></blockquote><div><br></div><div>How about having a flag that is enabled by default that includes cacerts from Java? I&#39;d actually think that update from CA certs are more likely going to happen by updating Java rather than manually maintaining a truststore.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
One detail to emphasize, with third party not-self-signed certificates<br>
it&#39;s important to include the CA certificate used to create the<br>
specific server certificate, rather than the server certificate<br>
itself. Facebook servers use different short-lived server certificates<br>
- and with two consecutive requests you may be presented with two<br>
different server certificates - but they are all issued by the same<br>
long-lived trusted CA. </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
<br>
On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda &lt;<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt; wrote:<br>
&gt; Facebook certificate should be signed by trusted authority, so it works with<br>
&gt; default JDK truststore. At least for me it always works.<br>
&gt;<br>
&gt; Shouldn&#39;t truststore SPI use both provided file + default JDK truststore by<br>
&gt; default? We may have flag to disable default JDK truststore, but not sure if<br>
&gt; it&#39;s ever needed. Also shouldn&#39;t we rewrite SimpleHTTP to use Apache HTTP<br>
&gt; client provided by HttpClientProvider SPI?<br>
&gt;<br>
&gt; Marek<br>
&gt;<br>
&gt;<br>
&gt; On 11/02/16 15:23, Stian Thorgersen wrote:<br>
&gt;<br>
&gt; Does it work if you don&#39;t specify the truststore? That will use the default<br>
&gt; truststore provided by the JDK.<br>
&gt;<br>
&gt; Also, does your truststore contain the required CA certs? For Facebook to<br>
&gt; work it&#39;ll have to contain the required CA&#39;s for their certs<br>
&gt;<br>
&gt; On 11 February 2016 at 14:09, LEONARDO NUNES &lt;<a href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a>&gt;<br>
&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; Hi, i&#39;m getting the error below when I try to login with Facebook.<br>
&gt;&gt; I&#39;ve followed the instructions at<br>
&gt;&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore</a><br>
&gt;&gt; and<br>
&gt;&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337</a><br>
&gt;&gt;<br>
&gt;&gt; I was able to login with Facebook when trying at localhost. But at our<br>
&gt;&gt; development server we are getting this error.<br>
&gt;&gt;<br>
&gt;&gt; We are using EAP in domain mode.<br>
&gt;&gt;<br>
&gt;&gt; The truststore I placed inside of keycloak-server.json<br>
&gt;&gt; &quot;truststore&quot;: {<br>
&gt;&gt;         &quot;file&quot;: {<br>
&gt;&gt;             &quot;file&quot;: &quot;/home/soa/jboss/ssl/keycloak.jks&quot;,<br>
&gt;&gt;             &quot;password&quot;: &quot;keycloak123&quot;,<br>
&gt;&gt;             &quot;hostname-verification-policy&quot;: &quot;ANY&quot;,<br>
&gt;&gt;             &quot;disabled&quot;: false<br>
&gt;&gt;         }<br>
&gt;&gt;     }<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; #######<br>
&gt;&gt;<br>
&gt;&gt; ERRO:<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; 2016-02-11 10:44:53,927 ERROR<br>
&gt;&gt; [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]<br>
&gt;&gt; (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth<br>
&gt;&gt; callback: javax.net.ssl.SSLHandshakeException:<br>
&gt;&gt; sun.security.validator.ValidatorException: PKIX path building failed:<br>
&gt;&gt; sun.security.provider.certpath.SunCertPathBuilderException: unable to find<br>
&gt;&gt; valid certification path to requested target<br>
&gt;&gt; at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)<br>
&gt;&gt; at<br>
&gt;&gt; org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)<br>
&gt;&gt; at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)<br>
&gt;&gt; [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)<br>
&gt;&gt; [keycloak-services-1.8.1.Final.jar:1.8.1.Final]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)<br>
&gt;&gt; [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]<br>
&gt;&gt; Caused by: sun.security.validator.ValidatorException: PKIX path building<br>
&gt;&gt; failed: sun.security.provider.certpath.SunCertPathBuilderException: unable<br>
&gt;&gt; to find valid certification path to requested target<br>
&gt;&gt; at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.validator.Validator.validate(Validator.java:260)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; ... 50 more<br>
&gt;&gt; Caused by: sun.security.provider.certpath.SunCertPathBuilderException:<br>
&gt;&gt; unable to find valid certification path to requested target<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; ... 56 more<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; --<br>
&gt;&gt; Leonardo Nunes<br>
&gt;&gt; ________________________________<br>
&gt;&gt; Esta mensagem pode conter informação confidencial e/ou privilegiada. Se<br>
&gt;&gt; você não for o destinatário ou a pessoa autorizada a receber esta mensagem,<br>
&gt;&gt; não poderá usar, copiar ou divulgar as informações nela contidas ou tomar<br>
&gt;&gt; qualquer ação baseada nessas informações. Se você recebeu esta mensagem por<br>
&gt;&gt; engano, por favor avise imediatamente o remetente, respondendo o e-mail e em<br>
&gt;&gt; seguida apague-o. Agradecemos sua cooperação.<br>
&gt;&gt;<br>
&gt;&gt; This message may contain confidential and/or privileged information. If<br>
&gt;&gt; you are not the addressee or authorized to receive this for the addressee,<br>
&gt;&gt; you must not use, copy, disclose or take any action based on this message or<br>
&gt;&gt; any information herein. If you have received this message in error, please<br>
&gt;&gt; advise the sender immediately by reply e-mail and delete this message. Thank<br>
&gt;&gt; you for your cooperation<br>
&gt;&gt;<br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; keycloak-user mailing list<br>
&gt;&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt;&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; keycloak-user mailing list<br>
&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; keycloak-user mailing list<br>
&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div></div>