When using 'truststore' provider it is up to you to make sure to
include all the certificates you trust. Configuration via
-Djavax.net.ssl.trustStore works the same - no automatic inclusion of
cacerts. But it sounds like a good usability feature to add a flag
that would automatically include cacerts as well. The problem is - it
happens occasionally that some CAs turn out not to be trustworthy, and
blindly importing all cacerts exposes you to that risk.
One detail to emphasize, with third party not-self-signed certificates
it's important to include the CA certificate used to create the
specific server certificate, rather than the server certificate
itself. Facebook servers use different short-lived server certificates
- and with two consecutive requests you may be presented with two
different server certificates - but they are all issued by the same
long-lived trusted CA.
On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda@redhat.com> wrote:
> Facebook certificate should be signed by trusted authority, so it works with
> default JDK truststore. At least for me it always works.
>
> Shouldn't truststore SPI use both provided file + default JDK truststore by
> default? We may have flag to disable default JDK truststore, but not sure if
> it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP
> client provided by HttpClientProvider SPI?
>
> Marek
>
>
> On 11/02/16 15:23, Stian Thorgersen wrote:
>
> Does it work if you don't specify the truststore? That will use the default
> truststore provided by the JDK.
>
> Also, does your truststore contain the required CA certs? For Facebook to
> work it'll have to contain the required CA's for their certs
>
> On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes@gjccorp.com.br>
> wrote:
>>
>> Hi, i'm getting the error below when I try to login with Facebook.
>> I've followed the instructions at
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore
>> and
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337
>>
>> I was able to login with Facebook when trying at localhost. But at our
>> development server we are getting this error.
>>
>> We are using EAP in domain mode.
>>
>> The truststore I placed inside of keycloak-server.json
>> "truststore": {
>> "file": {
>> "file": "/home/soa/jboss/ssl/keycloak.jks",
>> "password": "keycloak123",
>> "hostname-verification-policy": "ANY",
>> "disabled": false
>> }
>> }
>>
>>
>> #######
>>
>> ERRO:
>>
>>
>> 2016-02-11 10:44:53,927 ERROR
>> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
>> callback: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>> [rt.jar:1.8.0_45]
>> at
>> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
>> at
>> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> [rt.jar:1.8.0_45]
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> [rt.jar:1.8.0_45]
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> [rt.jar:1.8.0_45]
>> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
>> at
>> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
>> at
>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
>> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> [rt.jar:1.8.0_45]
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> [rt.jar:1.8.0_45]
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> [rt.jar:1.8.0_45]
>> at
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
>> [jsse.jar:1.8.0_45]
>> ... 50 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
>> [rt.jar:1.8.0_45]
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
>> [rt.jar:1.8.0_45]
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> [rt.jar:1.8.0_45]
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>> [rt.jar:1.8.0_45]
>> ... 56 more
>>
>>
>>
>>
>>
>> --
>> Leonardo Nunes
>> ________________________________
>> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
>> você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
>> não poderá usar, copiar ou divulgar as informações nela contidas ou tomar
>> qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
>> engano, por favor avise imediatamente o remetente, respondendo o e-mail e em
>> seguida apague-o. Agradecemos sua cooperação.
>>
>> This message may contain confidential and/or privileged information. If
>> you are not the addressee or authorized to receive this for the addressee,
>> you must not use, copy, disclose or take any action based on this message or
>> any information herein. If you have received this message in error, please
>> advise the sender immediately by reply e-mail and delete this message. Thank
>> you for your cooperation
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user