Found this during quick googling : http://stackoverflow.com/questions/9578129/exception-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated . So looks like different Java version can be possibly an issue... Other possibility can be an expired certificate.

If it's possible for you, I would try to generate new keystore for auth-server and then export new key again to the adapter truststore. Also it can help to check if moving both Java 8 will help.

Marek

On 27/09/16 08:30, KASALA Štefan wrote:

Hello,

One more information to add:

-          keycloak-as7-adapter-2.1.0 – is running on JBoss EAP 6.3.0.GA (AS 7.4.0.Final-redhat-19) (Java 7)

-          keycloak-2.1.0.Final (server) – is running on WildFly Core 2.0.10.Final (Java 8)

Stefan

 

From: KASALA Štefan
Sent: Tuesday, September 27, 2016 8:02 AM
To: 'Marek Posolda' <mposolda@redhat.com>; keycloak-user@lists.jboss.org
Subject: RE: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

 

Hello,

Thanks for tip. If you check my first email, I already tried this configuration for adapter

Our keycloak adapter config:

        <subsystem xmlns="urn:jboss:domain:keycloak:1.1">

            <realm name="governance">

                ….

                <disable-trust-manager>true</disable-trust-manager>

                …

            </realm>

            <secure-deployment name="overlord-rtgov-ui.war">

            </secure-deployment>

        </subsystem>

 

We also tried:

                …

                <truststore>/etc/pki/ca-trust/extracted/java/cacerts</truststore>

                <truststore-password>cacerts_password</truststore-password>

                …

 

But in all cases we get the exception - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

 

Stefan

 

From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Monday, September 26, 2016 4:46 PM
To: KASALA Štefan <Stefan.Kasala@posam.sk>; keycloak-user@lists.jboss.org
Subject: Re: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

 

It seems you need to configure truststore on adapter side, so the adapter (which uses Apache HTTP Client under the hood) is able to communicate with Keycloak server and trust it. You can take a look at docs and see the options related to truststore [1] .

[1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html

Marek

On 26/09/16 09:46, KASALA Štefan wrote:

Hello,

Please let me know, if you need more information to make the problem better to understand. Thanks a lot.

Stefan

 

From: keycloak-user-bounces@lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Sent: Thursday, September 22, 2016 10:55 AM
To: keycloak-user@lists.jboss.org
Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

 

Hello all,

We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server.  I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part:

 

2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/

2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate()

2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer

2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth

2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth

2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code

2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server

2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/

2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl

ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid

2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa

UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a

2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate()

2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer

2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth

2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth

2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving

2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code

2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie

2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

        at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67]

        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]

        at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]

        at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]

        at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]

        at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]

        at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]

        at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]

        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]

 

 

 

Our keycloak adapter config:

        <subsystem xmlns="urn:jboss:domain:keycloak:1.1">

            <realm name="governance">

                <realm-public-key>public key string…</realm-public-key>

                <auth-server-url>${keycloak.auth.url:/auth}</auth-server-url>

                <principal-attribute>preferred_username</principal-attribute>

                <disable-trust-manager>true</disable-trust-manager>

                <allow-any-hostname>true</allow-any-hostname>

            </realm>

            <secure-deployment name="overlord-rtgov-ui.war">

                <realm>governance</realm>

                <resource>rtgov-ui</resource>

                <credential name="secret">password</credential>

            </secure-deployment>

            <secure-deployment name="overlord-rtgov.war">

                <realm>governance</realm>

                <resource>overlord-rtgov</resource>

                <enable-basic-auth>true</enable-basic-auth>

                <credential name="secret">password</credential>

            </secure-deployment>

        </subsystem>

 

Could you please help us, how can we fix this? Thanks a log.

Stefan Kasala.

 



Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.

This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.

 



Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.

This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

 




Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.

This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.