Re: [keycloak-user] Add CA certificates for LDAPS ?

Hello Marek. I've done that already but looks like it is completely ignored. I have my custom truststore that have all my CA certificates (2), but I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin) Is there a way to make sure it has been loaded correctly? (I don't see any error when the application starts but it's not working as expected) Thanks. Mathieu ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < mposolda(a)redhat.com&gt; wrote ---- > You can configure the Truststore SPI, which is mentioned in our docs > here: > https://www.keycloak.org/docs/latest/server_installation/index.html#_trus... > > Some additional notes around LDAP are here: > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l... > > Marek > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > Hello. > > > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : > > > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. > > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. > > > > This is the error I am getting : > > > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > at sun.security.validator.Validator.validate(Validator.java:262) > > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > ... 99 more > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > ... 105 more > > > > > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? > > Connecting over LDAP is not an option a this prevent some features to work like password reset. > > > > Thanks. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user