It seems you need to configure truststore on adapter side, so the
adapter (which uses Apache HTTP Client under the hood) is able to
communicate with Keycloak server and trust it. You can take a look at
docs and see the options related to truststore [1] .
[1]
Hello,
Please let me know, if you need more information to make the problem
better to understand. Thanks a lot.
Stefan
*From:* keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org]
*Sent:* Thursday, September 22, 2016 10:55 AM
*To:* keycloak-user(a)lists.jboss.org
*Subject:* [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated
Hello all,
We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0
adapter version installed. We are trying to configure https proxy / lb
for keycloak server. I am getting the following error from keycloak
adapter after succesfull sign in to keycloak server. Here is the
keycloak adapter log part:
2016-09-22 10:45:50,643 DEBUG
[org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1)
adminRequest
https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,643 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
--> authenticate()
2016-09-22 10:45:50,644 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
try bearer
2016-09-22 10:45:50,644 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
try query paramter auth
2016-09-22 10:45:50,644 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
try oauth
2016-09-22 10:45:50,644 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) there was no code
2016-09-22 10:45:50,644 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) redirecting to auth server
2016-09-22 10:45:50,644 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) callback uri:
https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,645 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) Sending redirect to login page:
https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-conne...
ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid
2016-09-22 10:45:50,663 DEBUG
[org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1)
adminRequest
https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-...
UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a
2016-09-22 10:45:50,663 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
--> authenticate()
2016-09-22 10:45:50,664 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
try bearer
2016-09-22 10:45:50,664 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
try query paramter auth
2016-09-22 10:45:50,664 TRACE
[org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1)
try oauth
2016-09-22 10:45:50,664 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) there was a code, resolving
2016-09-22 10:45:50,664 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) checking state cookie for after code
2016-09-22 10:45:50,664 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) ** reseting application state cookie
2016-09-22 10:45:50,668 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) failed to turn code into token:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
[jsse.jar:1.7.0_67]
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
[keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43)
[keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
[keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]
Our keycloak adapter config:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<realm name="governance">
<realm-public-key>public key string…</realm-public-key>
<auth-server-url>${keycloak.auth.url:/auth}</auth-server-url>
<principal-attribute>preferred_username</principal-attribute>
<disable-trust-manager>true</disable-trust-manager>
<allow-any-hostname>true</allow-any-hostname>
</realm>
<secure-deployment name="overlord-rtgov-ui.war">
<realm>governance</realm>
<resource>rtgov-ui</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="overlord-rtgov.war">
<realm>governance</realm>
<resource>overlord-rtgov</resource>
<enable-basic-auth>true</enable-basic-auth>
<credential name="secret">password</credential>
</secure-deployment>
</subsystem>
Could you please help us, how can we fix this? Thanks a log.
Stefan Kasala.
------------------------------------------------------------------------
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
dôverné alebo interné informácie. Ak ste ju omylom obdržali,
upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain
confidential or internal information. If you have received it in
error, please notify the sender immediately and delete the original.
Any other use of the e-mail by you is prohibited.
------------------------------------------------------------------------
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
dôverné alebo interné informácie. Ak ste ju omylom obdržali,
upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain
confidential or internal information. If you have received it in
error, please notify the sender immediately and delete the original.
Any other use of the e-mail by you is prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user