When using 'truststore' provider it is up to you to make sure to
include all the certificates you trust. Configuration via
-Djavax.net.ssl.trustStore works the same - no automatic inclusion of
cacerts. But it sounds like a good usability feature to add a flag
that would automatically include cacerts as well. The problem is - it
happens occasionally that some CAs turn out not to be trustworthy, and
blindly importing all cacerts exposes you to that risk.
One detail to emphasize, with third party not-self-signed certificates
it's important to include the CA certificate used to create the
specific server certificate, rather than the server certificate
itself. Facebook servers use different short-lived server certificates
- and with two consecutive requests you may be presented with two
different server certificates - but they are all issued by the same
long-lived trusted CA.
On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
Facebook certificate should be signed by trusted authority, so it
works with
default JDK truststore. At least for me it always works.
Shouldn't truststore SPI use both provided file + default JDK truststore by
default? We may have flag to disable default JDK truststore, but not sure if
it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP
client provided by HttpClientProvider SPI?
Marek
On 11/02/16 15:23, Stian Thorgersen wrote:
Does it work if you don't specify the truststore? That will use the default
truststore provided by the JDK.
Also, does your truststore contain the required CA certs? For Facebook to
work it'll have to contain the required CA's for their certs
On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
wrote:
>
> Hi, i'm getting the error below when I try to login with Facebook.
> I've followed the instructions at
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> and
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>
> I was able to login with Facebook when trying at localhost. But at our
> development server we are getting this error.
>
> We are using EAP in domain mode.
>
> The truststore I placed inside of keycloak-server.json
> "truststore": {
> "file": {
> "file": "/home/soa/jboss/ssl/keycloak.jks",
> "password": "keycloak123",
> "hostname-verification-policy": "ANY",
> "disabled": false
> }
> }
>
>
> #######
>
> ERRO:
>
>
> 2016-02-11 10:44:53,927 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
> callback: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> [jsse.jar:1.8.0_45]
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> [rt.jar:1.8.0_45]
> at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
> at
>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.8.0_45]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> [rt.jar:1.8.0_45]
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.8.0_45]
> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> [rt.jar:1.8.0_45]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> [rt.jar:1.8.0_45]
> at sun.security.validator.Validator.validate(Validator.java:260)
> [rt.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> [jsse.jar:1.8.0_45]
> at
>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> [jsse.jar:1.8.0_45]
> ... 50 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> [rt.jar:1.8.0_45]
> at
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> [rt.jar:1.8.0_45]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> [rt.jar:1.8.0_45]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> [rt.jar:1.8.0_45]
> ... 56 more
>
>
>
>
>
> --
> Leonardo Nunes
> ________________________________
> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
> você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
> não poderá usar, copiar ou divulgar as informações nela contidas ou tomar
> qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
> engano, por favor avise imediatamente o remetente, respondendo o e-mail e em
> seguida apague-o. Agradecemos sua cooperação.
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose or take any action based on this message or
> any information herein. If you have received this message in error, please
> advise the sender immediately by reply e-mail and delete this message. Thank
> you for your cooperation
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user