4:09 a.m.
By the way: on that instance, I have these URLs on the Keycloak subsystem:
<auth-server-url>https://hawkular.kroehling.de/auth</auth-server-url>
<auth-server-url-for-backend-requests>http://192.168.122.230:8080/auth</auth-server-url-for-backend-requests>
This means: users of the application would be redirected to the first
URL when logging in, while the internal backend calls are made using the
second URL.
- Juca.
On 10/12/2015 10:48 AM, Juraci Paixão Kröhling wrote:
I have an instance with TLS at https://hawkular.kroehling.de
working,
but I can't promise to keep it running 24x7 :) It's a bit old already
(MS4, IIRC) , but the setup should not be too different between MS4 and
MS5.
When setting it up, there were a few issues (like, using http by default
in some components without the possibility of overriding it), but the UI
worked fine once those were fixed and merged. Granted, I haven't tested
*everything*, so, I can't say that it all worked :)
Anyway, about the error you are seeing: it seems like the certificate is
missing from "some" keystore. Have you added the cert to the
keycloak.jks keystore? There are a few Keycloak-specific steps that are
required, documented here:
http://keycloak.github.io/docs/userguide/html_single/index.html#d4e336
- Juca.
On 10/10/2015 12:08 AM, John Mazzitelli wrote:
> I'm trying to figure out what does or does not work over HTTPS. So I
> configured kettle with my own self-signed keystore using these
> instructions:
>
> http://blog.eisele.net/2015/01/ssl-with-wildfly-8-and-undertow.html
>
> I can see the UI at https://localhost:8443 - I first had to tell
> Firefox to accept the certificate (so I know its really going over
> SSL). And the fact I can see the login screen tells me the SSL setup
> is OK and I'm able to access the UI over https. However, when I try to
> log in, I get an exception - and its a similar exception I get when
> the agent tries to call into kettle.
>
> Has anyone tried accessing kettle over https and have you seen any
> keycloak issues when doing so? (nudge, nudge, juca :-)
>
> Here's the exception I get when I try to log into the UI - I'm curious
> if there are other configuration settings we need to get HTTPS to work:
>
> 384109 [default task-21] ERROR io.undertow.request - UT005023:
> Exception handling request to /hawkular/accounts/personas/current
> java.lang.RuntimeException: Unable to resolve realm public key remotely
> at
>
org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:134)
>
> at
>
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:83)
>
> at
>
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:71)
>
> at
>
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:47)
>
> at
>
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
>
> at
>
io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
>
> at
>
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
>
> at
>
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
>
> at
>
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>
> at
>
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
>
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
>
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
>
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
>
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
>
> at
>
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
>
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
>
> at
>
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
>
> at
>
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
>
> at
>
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
>
> at
>
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
>
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>
> at
>
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
>
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
>
> at
>
org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:105)
>
> ... 16 more
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>
> at
>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
>
> ... 35 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
>
> at
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
>
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>