Re: [keycloak-user] Add CA certificates for LDAPS ?

My LDAPS configuration did also work fine with keycloak 3.3.5 docker image My question was related to the The X509_CA_BUNDLE env variable that comes with the keycloak 4.4.x docker image. I would like to use it and wanted to know if it work. Do I understand that it's working fine for you Mathieu? Meissa Le lun. 5 nov. 2018 à 12:17, Mathieu Poussin <me(a)mpouss.in&gt; a écrit : > I confirm this fixed the issue :) > > So simple that I didn't think about it... > > Thank you > > ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt(a)acutus.pro&gt; > wrote ---- > > Mathieu, Meissa, > > > > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml > instead of standalone.xml by default. I guess this is why your truststore > settings are being ignored. > > > > I've also tested Keycloak + LDAP + self-signed cert + truststore on a > non-Docker deployment - it works pretty well, so definitely not a Keycloak > bug per se. > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info(a)acutus.pro > > > > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote: > > > Hello Mathieu, > > > did you manage to make it work? > > > If yes, could you tell me how? > > > Meissa > > > > > > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in&gt; a > écrit : > > > > > > > Hello Marek. > > > > > > > > I've done that already but looks like it is completely ignored. > > > > I have my custom truststore that have all my CA certificates (2), > but I'm > > > > still seeing the same issue. (SPI is enabled on the LDAPS settings > on the > > > > admin) > > > > Is there a way to make sure it has been loaded correctly? (I don't > see any > > > > error when the application starts but it's not working as > expected) > > > > > > > > Thanks. > > > > Mathieu > > > > > > > > > > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < > > > > mposolda(a)redhat.com&gt; wrote ---- > > > > > You can configure the Truststore SPI, which is mentioned in our > docs > > > > > here: > > > > > > > > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_trus... > > > > > > > > > > Some additional notes around LDAP are here: > > > > > > > > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l... > > > > > > > > > > Marek > > > > > > > > > > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > > > > Hello. > > > > > > > > > > > > What would be the recommended way to add a custom CA > certificates ? > > > > The documentation has a lot of different ways and so far none of > them > > > > worked : > > > > > > > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a > > > > container), I can see the certificates in the JKS store but looks > like > > > > they are completely ignored by the app server. > > > > > > - Added custom SPI to load a custom JKS store, same, no error > at > > > > server start but they are completely ignored by the app server. > > > > > > > > > > > > This is the error I am getting : > > > > > > > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX > path > > > > building failed: > > > > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find > > > > valid certification path to requested target > > > > > > at > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > > > > at > > > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > > > > at > > > > sun.security.validator.Validator.validate(Validator.java:262) > > > > > > at > > > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > > > > > > > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > > > > > > > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > > > > > > > > at > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > > > > > > > > ... 99 more > > > > > > Caused by: > > > > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find > > > > valid certification path to requested target > > > > > > at > > > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > > > > > > > > at > > > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > > > > > > > > at > > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > > > at > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > > > > ... 105 more > > > > > > > > > > > > > > > > > > Another option would be to disable certificate verification > on LDAPS > > > > as it's a trusted environment (last resort but well so far nothing > else > > > > worked), would there be a way to do that? > > > > > > Connecting over LDAP is not an option a this prevent some > features to > > > > work like password reset. > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user(a)lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > >