<div dir="ltr">Hello Juan Diego,<div><br></div><div>I think you are right. Java probably does not recognize Komodo as a valid certificate authority.</div><div><br></div><div>Java keeps certificates of CAs in a keystore (a 'trust store' - a store of certificates from authorities that are to be trusted). The Komodo certificate that is part of your chain is probably not in them).</div><div><br></div><div>I'm quite new to Keycloak, and I'm not sure if Keycloak uses the default keystores that ship with any version of Java, or uses it's own set. Perhaps the Keycloak documentation gives you a hint to that effect.</div><div><br></div><div>I hope this helps. Regards,</div><div><br></div><div> Guus</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 8 April 2016 at 01:25, Juan Diego <span dir="ltr"><<a href="mailto:juandiego83@gmail.com" target="_blank">juandiego83@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>I installed a keycloak server on amazon and bought a cert from Komodo. And I was testing my app from my localhost, so my webapp in jsf is supposed to log against that server and it seems to work. I modified my web.xml so the loign-config uses keycloak.<br><br></div>I thought my localserver ssl was the problem but I disabled <transport-guarantee>CONFIDENTIAL</transport-guarantee><br><br></div>But I got the same error.<br><div><br>17:49:20,443 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-49) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<br> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)<br> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)<br> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)<br> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)<br> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)<br> at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)<br> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)<br> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)<br> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)<br> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)<br> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)<br> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)<br> at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)<br> at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)<br> at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)<br> at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)<br> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)<br> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)<br> at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)<br> at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)<br> at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)<br> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)<br> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)<br> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)<br> at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)<br> at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)<br> at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)<br> at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)<br> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)<br> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)<br> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)<br> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)<br> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)<br> at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)<br> at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)<br> at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)<br> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)<br> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)<br> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)<br> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)<br> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)<br> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)<br> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)<br> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)<br> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)<br> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)<br> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)<br> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)<br> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)<br> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)<br> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)<br> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)<br> at java.lang.Thread.run(Thread.java:745)<br>Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<br> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)<br> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)<br> at sun.security.validator.Validator.validate(Validator.java:260)<br> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)<br> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)<br> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)<br> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)<br> ... 56 more<br>Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<br> at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)<br> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)<br> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)<br> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)<br> ... 62 more<br><br><br></div><div>For what I understand it is because my java doesnt perceives my Cert as a proper CA signed cert. <br><br></div><div>Thanks,<br><br></div><div>Juan diego<br></div><div><br></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>