Hello Meissa.
So far I could not find a way to do it, the project is now in standby, if we can't get
it to work we will probably check for another solution, unfortunately.
Thanks.
Mathieu
---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho
<msakho(a)redhat.com> wrote ----
Hello Mathieu,did you manage to make it work?If yes, could you tell
me how?Meissa
Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
Hello Marek.
I've done that already but looks like it is completely ignored.
I have my custom truststore that have all my CA certificates (2), but I'm still
seeing the same issue. (SPI is enabled on the LDAPS settings on the admin)
Is there a way to make sure it has been loaded correctly? (I don't see any error
when the application starts but it's not working as expected)
Thanks.
Mathieu
---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <mposolda(a)redhat.com> wrote
----
> You can configure the Truststore SPI, which is mentioned in our docs
> here:
>
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
>
> Some additional notes around LDAP are here:
>
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
>
> Marek
>
>
> On 01/10/18 13:27, Mathieu Poussin wrote:
> > Hello.
> >
> > What would be the recommended way to add a custom CA certificates ? The
documentation has a lot of different ways and so far none of them worked :
> >
> > - The X509_CA_BUNDLE env variable thing (It's running in a container), I
can see the certificates in the JKS store but looks like they are completely ignored by
the app server.
> > - Added custom SPI to load a custom JKS store, same, no error at server start
but they are completely ignored by the app server.
> >
> > This is the error I am getting :
> >
> > Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
> > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > at sun.security.validator.Validator.validate(Validator.java:262)
> > at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > ... 99 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
> > at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > ... 105 more
> >
> >
> > Another option would be to disable certificate verification on LDAPS as
it's a trusted environment (last resort but well so far nothing else worked), would
there be a way to do that?
> > Connecting over LDAP is not an option a this prevent some features to work
like password reset.
> >
> > Thanks.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user