On 15 Jul 2019, at 3:34 PM, Mark Nuttall-Smith <mnuttallsmith(a)flowtraders.com&gt; wrote: Hi, I've configured Keycloak to talk to an AD server using LDAPS. Everything works perfectly most of the time, but there are rare, transient errors caused by the following exception: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 12 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 18 more Normally retrying the same query allows a user to log in again successfully (browser caches complicate things though). We add the certificates to the keystore using the following approach in our kubernetes helm chart: -------------------- extraArgs: "-Djavax.net.ssl.trustStore=/opt/cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dkeycloak.import=/opt/import/realm.json" # This init container adds the certificates for the AD domain controllers to a keystore using a mounted ad-cacerts volume. # The same volume with the keystore is then mounted and used by the main keycloak container extraInitContainers: | - name: cacerts-init image: openjdk:8-jre command: - bash args: - -c - | cat $JAVA_HOME/lib/security/cacerts > /opt/cacerts/cacerts; for host in `getent ahosts mycompany.local | awk '{print $1}' | uniq`; do echo | openssl s_client -connect ${host}:3269 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${host}.cer ; keytool -keystore /opt/cacerts/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ${host} -file ${host}.cer done volumeMounts: - name: ad-cacerts mountPath: /opt/cacerts extraVolumes: | - name: ad-cacerts emptyDir: {} extraVolumeMounts: | - name: ad-cacerts mountPath: /opt/cacerts ----------------------- Does anyone have an idea what could be the cause of these transient errors? Thanks, Mark Mark Nuttall-Smith Software Engineer [http://www.flowtraders.com/img/FlowTraders.png] Flow Traders T: +31 20 799 8753 F: +31 20 799 6780 Jacob Bontiusplaats 9 1018 LL Amsterdam Netherlands www.flowtraders.com<http://www.flowtraders.com> Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders's prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user