Re: [keycloak-user] Adapter trustore: use default java trustore possible ?

Friday, 19 February 2016

Hi Marko,

I use Keycloak 1.4.0.Final but it's the same with the latest one.

Here is the error that I get from the "KeycloakInstalled" adaptor but 
it's the same for at least the Jetty9.2 one:

//---------------------------------------------------------------------
Open the following URL in a browser. After login copy/paste the code 
back and press <enter>
https://sso.gnubila.fr/auth/realms/Tests/protocol/openid-connect/auth?res...

Code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Exception in thread "main" javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
     at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
     at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
     at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
     at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
     at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
     at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
     at 
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
     at 
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
     at 
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
     at 
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
     at 
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
     at 
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
     at 
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
     at 
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
     at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
     at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
     at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
     at 
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:122)
     at 
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:95)
     at 
org.keycloak.adapters.installed.KeycloakInstalled.processCode(KeycloakInstalled.java:232)
     at 
org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:168)
     at 
org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:147)
     at cmd_client.main(cmd_client.java:64)
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
     at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
     at sun.security.validator.Validator.validate(Validator.java:260)
     at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
     at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
     at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
     at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
     ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
     at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
     at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
     ... 30 more
//---------------------------------------------------------------------

Best,
Jerome

Le 19/02/2016 15:12, Marko Strukelj a écrit :
...
 What version of Keycloak are you using, and what have you tried so
far?

 It sounds like you've tried to not set "truststore", and it didn't 
 work. What's the exception you get?

 On Fri, Feb 19, 2016 at 2:41 PM, Jérôme Revillard 
 <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> wrote:

     Any advise for this please ?

     Best,
     Jerome

     Le 17/02/2016 11:19, Jérôme Revillard a écrit :
>     Yes, it seems to be the case for the server, but not for the
>     clients. See the trustore config description here:
>    
https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#...
>
>     Best,
>     Jerome
>
>     Le 17/02/2016 11:09, Bruno Oliveira a écrit :
>>     I'm not sure if I got your question in the right way. But from
>>     my understanding Java truststore is the standard fall back.
>>
>>     See item 3.2.5
>>    
https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins...
>>
>>     On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard
>>     <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> wrote:
>>
>>         Dear all,
>>
>>         I'm testing now a Keycloak server properly configured with https
>>         configuration.
>>         The server certificate is one which is already known by the
>>         default java
>>         trustore.
>>         Would it be possible to setup the keycloak.json adapter
>>         config to use
>>         this default java trustore ?
>>
>>         Best,
>>         Jerome
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user(a)lists.jboss.org
>>         <mailto:keycloak-user@lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user

     _______________________________________________
     keycloak-user mailing list
     keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
     https://lists.jboss.org/mailman/listinfo/keycloak-user

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Adapter trustore: use default java trustore possible ?