Hello,
Finally we managed to fix the issue. Problem was with org.apache.httpcomponents module on
Keycloak adapter side. We have there JBoss EAP 6.3.0.GA installation, which has
httpclient jar version 4.2.1. After debug we found out problem was SNI. SNI support in
httpclient was added from version 4.3.2
(
https://issues.apache.org/jira/browse/HTTPCLIENT-1119). We managed to upgrade
httpcomponents to 4.3.6 and 4.3.3 version, now it works fine.
One more thanks for help.
Stefan
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Tuesday, September 27, 2016 10:03 AM
To: KASALA Štefan <Stefan.Kasala(a)posam.sk>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
Found this during quick googling :
http://stackoverflow.com/questions/9578129/exception-javax-net-ssl-sslpee...
. So looks like different Java version can be possibly an issue... Other possibility can
be an expired certificate.
If it's possible for you, I would try to generate new keystore for auth-server and
then export new key again to the adapter truststore. Also it can help to check if moving
both Java 8 will help.
Marek
On 27/09/16 08:30, KASALA Štefan wrote:
Hello,
One more information to add:
- keycloak-as7-adapter-2.1.0 – is running on JBoss EAP 6.3.0.GA (AS
7.4.0.Final-redhat-19) (Java 7)
- keycloak-2.1.0.Final (server) – is running on WildFly Core 2.0.10.Final (Java
8)
Stefan
From: KASALA Štefan
Sent: Tuesday, September 27, 2016 8:02 AM
To: 'Marek Posolda' <mposolda@redhat.com><mailto:mposolda@redhat.com>;
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: RE: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
Hello,
Thanks for tip. If you check my first email, I already tried this configuration for
adapter
Our keycloak adapter config:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<realm name="governance">
….
<disable-trust-manager>true</disable-trust-manager>
…
</realm>
<secure-deployment name="overlord-rtgov-ui.war">
…
</secure-deployment>
…
</subsystem>
We also tried:
…
<truststore>/etc/pki/ca-trust/extracted/java/cacerts</truststore>
<truststore-password>cacerts_password</truststore-password>
…
But in all cases we get the exception - javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
Stefan
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Monday, September 26, 2016 4:46 PM
To: KASALA Štefan <Stefan.Kasala@posam.sk<mailto:Stefan.Kasala@posam.sk>>;
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
It seems you need to configure truststore on adapter side, so the adapter (which uses
Apache HTTP Client under the hood) is able to communicate with Keycloak server and trust
it. You can take a look at docs and see the options related to truststore [1] .
[1]
https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
Marek
On 26/09/16 09:46, KASALA Štefan wrote:
Hello,
Please let me know, if you need more information to make the problem better to understand.
Thanks a lot.
Stefan
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
[mailto:keycloak-user-bounces@lists.jboss.org]
Sent: Thursday, September 22, 2016 10:55 AM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
Hello all,
We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version
installed. We are trying to configure https proxy / lb for keycloak server. I am getting
the following error from keycloak adapter after succesfull sign in to keycloak server.
Here is the keycloak adapter log part:
2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(http-/0.0.0.0:8080-1) adminRequest
https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) --> authenticate()
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) try bearer
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) try query paramter auth
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) try oauth
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) there was no code
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) redirecting to auth server
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) callback uri:
https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) Sending redirect to login page:
https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-conne...
ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid
2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(http-/0.0.0.0:8080-1) adminRequest
https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-...
UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a
2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) --> authenticate()
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) try bearer
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) try query paramter auth
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator]
(http-/0.0.0.0:8080-1) try oauth
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) there was a code, resolving
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) checking state cookie for after code
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) ** reseting application state cookie
2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) failed to turn code into token:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
[jsse.jar:1.7.0_67]
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
[httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
[keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
[keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at
org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43)
[keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
[keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]
Our keycloak adapter config:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<realm name="governance">
<realm-public-key>public key string…</realm-public-key>
<auth-server-url>${keycloak.auth.url:/auth}</auth-server-url>
<principal-attribute>preferred_username</principal-attribute>
<disable-trust-manager>true</disable-trust-manager>
<allow-any-hostname>true</allow-any-hostname>
</realm>
<secure-deployment name="overlord-rtgov-ui.war">
<realm>governance</realm>
<resource>rtgov-ui</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="overlord-rtgov.war">
<realm>governance</realm>
<resource>overlord-rtgov</resource>
<enable-basic-auth>true</enable-basic-auth>
<credential name="secret">password</credential>
</secure-deployment>
</subsystem>
Could you please help us, how can we fix this? Thanks a log.
Stefan Kasala.
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné
informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju.
Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal
information. If you have received it in error, please notify the sender immediately and
delete the original. Any other use of the e-mail by you is prohibited.
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné
informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju.
Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal
information. If you have received it in error, please notify the sender immediately and
delete the original. Any other use of the e-mail by you is prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné
informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju.
Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal
information. If you have received it in error, please notify the sender immediately and
delete the original. Any other use of the e-mail by you is prohibited.
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné
informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju.
Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal
information. If you have received it in error, please notify the sender immediately and
delete the original. Any other use of the e-mail by you is prohibited.