1:27 p.m.
Hello.
What would be the recommended way to add a custom CA certificates ? The documentation has
a lot of different ways and so far none of them worked :
- The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the
certificates in the JKS store but looks like they are completely ignored by the app
server.
- Added custom SPI to load a custom JKS store, same, no error at server start but they are
completely ignored by the app server.
This is the error I am getting :
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 99 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 105 more
Another option would be to disable certificate verification on LDAPS as it's a trusted
environment (last resort but well so far nothing else worked), would there be a way to do
that?
Connecting over LDAP is not an option a this prevent some features to work like password
reset.
Thanks.
8:14 p.m.
You can configure the Truststore SPI, which is mentioned in our docs
here:
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
Some additional notes around LDAP are here:
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
Marek
On 01/10/18 13:27, Mathieu Poussin wrote:
Hello.
What would be the recommended way to add a custom CA certificates ? The documentation has
a lot of different ways and so far none of them worked :
- The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the
certificates in the JKS store but looks like they are completely ignored by the app
server.
- Added custom SPI to load a custom JKS store, same, no error at server start but they
are completely ignored by the app server.
This is the error I am getting :
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 99 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 105 more
Another option would be to disable certificate verification on LDAPS as it's a
trusted environment (last resort but well so far nothing else worked), would there be a
way to do that?
Connecting over LDAP is not an option a this prevent some features to work like password
reset.
Thanks.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:58 a.m.
Hello Marek.
I've done that already but looks like it is completely ignored.
I have my custom truststore that have all my CA certificates (2), but I'm still seeing
the same issue. (SPI is enabled on the LDAPS settings on the admin)
Is there a way to make sure it has been loaded correctly? (I don't see any error when
the application starts but it's not working as expected)
Thanks.
Mathieu
---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <mposolda(a)redhat.com> wrote
----
You can configure the Truststore SPI, which is mentioned in our docs
here:
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
Some additional notes around LDAP are here:
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
Marek
On 01/10/18 13:27, Mathieu Poussin wrote:
> Hello.
>
> What would be the recommended way to add a custom CA certificates ? The
documentation has a lot of different ways and so far none of them worked :
>
> - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see
the certificates in the JKS store but looks like they are completely ignored by the app
server.
> - Added custom SPI to load a custom JKS store, same, no error at server start but
they are completely ignored by the app server.
>
> This is the error I am getting :
>
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> at sun.security.validator.Validator.validate(Validator.java:262)
> at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> ... 99 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
> at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ... 105 more
>
>
> Another option would be to disable certificate verification on LDAPS as it's a
trusted environment (last resort but well so far nothing else worked), would there be a
way to do that?
> Connecting over LDAP is not an option a this prevent some features to work like
password reset.
>
> Thanks.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
11:05 a.m.
Hello Mathieu,
did you manage to make it work?
If yes, could you tell me how?
Meissa
Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
Hello Marek.
I've done that already but looks like it is completely ignored.
I have my custom truststore that have all my CA certificates (2), but I'm
still seeing the same issue. (SPI is enabled on the LDAPS settings on the
admin)
Is there a way to make sure it has been loaded correctly? (I don't see any
error when the application starts but it's not working as expected)
Thanks.
Mathieu
---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
mposolda(a)redhat.com> wrote ----
> You can configure the Truststore SPI, which is mentioned in our docs
> here:
>
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
>
> Some additional notes around LDAP are here:
>
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
>
> Marek
>
>
> On 01/10/18 13:27, Mathieu Poussin wrote:
> > Hello.
> >
> > What would be the recommended way to add a custom CA certificates ?
The documentation has a lot of different ways and so far none of them
worked :
> >
> > - The X509_CA_BUNDLE env variable thing (It's running in a
container), I can see the certificates in the JKS store but looks like
they are completely ignored by the app server.
> > - Added custom SPI to load a custom JKS store, same, no error at
server start but they are completely ignored by the app server.
> >
> > This is the error I am getting :
> >
> > Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > at
sun.security.validator.Validator.validate(Validator.java:262)
> > at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > ... 99 more
> > Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> > at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > ... 105 more
> >
> >
> > Another option would be to disable certificate verification on LDAPS
as it's a trusted environment (last resort but well so far nothing else
worked), would there be a way to do that?
> > Connecting over LDAP is not an option a this prevent some features to
work like password reset.
> >
> > Thanks.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:07 a.m.
Hello Meissa.
So far I could not find a way to do it, the project is now in standby, if we can't get
it to work we will probably check for another solution, unfortunately.
Thanks.
Mathieu
---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho
<msakho(a)redhat.com> wrote ----
Hello Mathieu,did you manage to make it work?If yes, could you tell
me how?Meissa
Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
Hello Marek.
I've done that already but looks like it is completely ignored.
I have my custom truststore that have all my CA certificates (2), but I'm still
seeing the same issue. (SPI is enabled on the LDAPS settings on the admin)
Is there a way to make sure it has been loaded correctly? (I don't see any error
when the application starts but it's not working as expected)
Thanks.
Mathieu
---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <mposolda(a)redhat.com> wrote
----
> You can configure the Truststore SPI, which is mentioned in our docs
> here:
> https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
>
> Some additional notes around LDAP are here:
>
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
>
> Marek
>
>
> On 01/10/18 13:27, Mathieu Poussin wrote:
> > Hello.
> >
> > What would be the recommended way to add a custom CA certificates ? The
documentation has a lot of different ways and so far none of them worked :
> >
> > - The X509_CA_BUNDLE env variable thing (It's running in a container), I
can see the certificates in the JKS store but looks like they are completely ignored by
the app server.
> > - Added custom SPI to load a custom JKS store, same, no error at server start
but they are completely ignored by the app server.
> >
> > This is the error I am getting :
> >
> > Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
> > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > at sun.security.validator.Validator.validate(Validator.java:262)
> > at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > ... 99 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
> > at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > ... 105 more
> >
> >
> > Another option would be to disable certificate verification on LDAPS as
it's a trusted environment (last resort but well so far nothing else worked), would
there be a way to do that?
> > Connecting over LDAP is not an option a this prevent some features to work
like password reset.
> >
> > Thanks.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:29 a.m.
Hey Mathieu, Meissa,
(just quickly to double-check,) what's the template name you have
deployed RH-SSO for OpenShift image from? (assuming this is issue on
OpenShift)
If the "*sso72-x509-https*" one (or some of **-x509-** based ones) was used
to deploy the RH-SSO server pod, this won't work. Reason being the **-x509-*
*are configured in the way, to auto-generate the RH-SSO truststore (use the
defaults, and let the user not to need to supply this). Even if custom
truststore / cert is supplied, the default one will be used. AFAICT this
isn't configurable (since wasn't intended to be).
If you want the custom cert / truststore to be actually honoured, you need
to deploy the RH-SSO pod from some other (some of the passthrough TLS based
templates
<https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/...;,
not the x509 re-encrypt TLS ones).
I will file JIRAs to:
- Mention this *-x509-* template deficiency in the templates,
- RFE to get the *-x509-* ones to honour custom certificates, if
supplied.
HTH & Sorry for the inconvenience
Thank you && Regards, Jan
--
Jan iankko Lieskovsky / Keycloak / RH-SSO Team
On Wed, Oct 31, 2018 at 11:17 AM Mathieu Poussin <me(a)mpouss.in> wrote:
Hello Meissa.
So far I could not find a way to do it, the project is now in standby, if
we can't get it to work we will probably check for another solution,
unfortunately.
Thanks.
Mathieu
---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho <
msakho(a)redhat.com> wrote ----
> Hello Mathieu,did you manage to make it work?If yes, could you tell me
how?Meissa
> Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
> Hello Marek.
>
> I've done that already but looks like it is completely ignored.
> I have my custom truststore that have all my CA certificates (2), but
I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on
the admin)
> Is there a way to make sure it has been loaded correctly? (I don't see
any error when the application starts but it's not working as expected)
>
> Thanks.
> Mathieu
>
>
> ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
mposolda(a)redhat.com> wrote ----
> > You can configure the Truststore SPI, which is mentioned in our
docs
> > here:
> >
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> >
> > Some additional notes around LDAP are here:
> >
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> >
> > Marek
> >
> >
> > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > Hello.
> > >
> > > What would be the recommended way to add a custom CA certificates
? The documentation has a lot of different ways and so far none of them
worked :
> > >
> > > - The X509_CA_BUNDLE env variable thing (It's running in a
container), I can see the certificates in the JKS store but looks like
they are completely ignored by the app server.
> > > - Added custom SPI to load a custom JKS store, same, no error at
server start but they are completely ignored by the app server.
> > >
> > > This is the error I am getting :
> > >
> > > Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > at
sun.security.validator.Validator.validate(Validator.java:262)
> > > at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > > at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > > ... 99 more
> > > Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> > > at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > > at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > > at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > ... 105 more
> > >
> > >
> > > Another option would be to disable certificate verification on
LDAPS as it's a trusted environment (last resort but well so far nothing
else worked), would there be a way to do that?
> > > Connecting over LDAP is not an option a this prevent some
features to work like password reset.
> > >
> > > Thanks.
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:31 p.m.
Hello Jan.
Thank you for your message.
In my case this is not deployed over OpenShift, but on a single host through Docker, we
use our own docker image on top of the official one to add our own theme and .keystore.
I confirm that the certificates are in our custom keystore (checked with keytool -list),
this is what we do in our Dockerfile :
FROM jboss/keycloak:4.5.0.Final
ADD themes/xxx /opt/jboss/keycloak/themes/xxx
ADD certs/xxx.keystore /opt/jboss/keycloak/standalone/configuration/xxx.keystore
ADD configuration/standalone.xml
/opt/jboss/keycloak/standalone/configuration/standalone.xml
And the SPI we are adding in the standalone.xml :
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file"
value="/opt/jboss/keycloak/standalone/configuration/xxx.keystore" />
<property name="password" value="xxx" />
<property name="hostname-verification-policy"
value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
But no luck so far.
---- On Wed, 31 Oct 2018 11:29:07 +0100 Jan Lieskovsky <jlieskov(a)redhat.com> wrote
----
Hey Mathieu, Meissa,
(just quickly to double-check,) what's the template name you have deployed RH-SSO
for OpenShift image from? (assuming this is issue on OpenShift)
If the "sso72-x509-https" one (or some of *-x509-* based ones) was used to
deploy the RH-SSO server pod, this won't work. Reason being the *-x509-* are
configured in the way, to auto-generate the RH-SSO truststore (use the defaults, and let
the user not to need to supply this). Even if custom truststore / cert is supplied, the
default one will be used. AFAICT this isn't configurable (since wasn't intended to
be).
If you want the custom cert / truststore to be actually honoured, you need to deploy the
RH-SSO pod from some other (some of the passthrough TLS based templates, not the x509
re-encrypt TLS ones).
I will file JIRAs to:Mention this *-x509-* template deficiency in the templates,
RFE to get the *-x509-* ones to honour custom certificates, if supplied.
HTH & Sorry for the inconvenience
Thank you && Regards, Jan--Jan iankko Lieskovsky / Keycloak / RH-SSO Team
On Wed, Oct 31, 2018 at 11:17 AM Mathieu Poussin <me(a)mpouss.in> wrote:
Hello Meissa.
So far I could not find a way to do it, the project is now in standby, if we can't
get it to work we will probably check for another solution, unfortunately.
Thanks.
Mathieu
---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho
<msakho(a)redhat.com> wrote ----
> Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa
> Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
> Hello Marek.
>
> I've done that already but looks like it is completely ignored.
> I have my custom truststore that have all my CA certificates (2), but I'm
still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin)
> Is there a way to make sure it has been loaded correctly? (I don't see any
error when the application starts but it's not working as expected)
>
> Thanks.
> Mathieu
>
>
> ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda
<mposolda(a)redhat.com> wrote ----
> > You can configure the Truststore SPI, which is mentioned in our docs
> > here:
> >
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> >
> > Some additional notes around LDAP are here:
> >
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> >
> > Marek
> >
> >
> > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > Hello.
> > >
> > > What would be the recommended way to add a custom CA certificates ?
The documentation has a lot of different ways and so far none of them worked :
> > >
> > > - The X509_CA_BUNDLE env variable thing (It's running in a
container), I can see the certificates in the JKS store but looks like they are
completely ignored by the app server.
> > > - Added custom SPI to load a custom JKS store, same, no error at
server start but they are completely ignored by the app server.
> > >
> > > This is the error I am getting :
> > >
> > > Caused by: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > at
sun.security.validator.Validator.validate(Validator.java:262)
> > > at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > > at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > > ... 99 more
> > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> > > at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > > at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > > at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > ... 105 more
> > >
> > >
> > > Another option would be to disable certificate verification on LDAPS
as it's a trusted environment (last resort but well so far nothing else worked), would
there be a way to do that?
> > > Connecting over LDAP is not an option a this prevent some features to
work like password reset.
> > >
> > > Thanks.
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:20 p.m.
Few hints:
I would first check if truststore itself is correct. For example you can
use this command (replace with your actual truststore):
$ keytool -list -keystore /home/mposolda/tmp/dev1xy.truststore
Then you should see output like:
Your keystore contains 1 entry
mykey, 31-Oct-2012, trustedCertEntry,
Certificate fingerprint (SHA1):
9E:4E:B2:F2:91:42:D5:5F:17:E0:82:D8:0C:9B:04:A2:91:63:4B:E9
And then you know that alias is "mykey", so you may want to use:
$ keytool -exportcert -keystore /home/mposolda/tmp/dev1xy.truststore
-alias mykey -file /tmp/cert.crt
$ keytool -printcert -file /tmp/cert.crt
which should print all the details of your certificate. If any of the
above steps fails or certificate doesn't look as expected, you know that
issue is in the truststore file itself. Note that you are required to
provide the truststore password as well in those commands (keytool will
prompt you for it).
Another helpful thing can be to enable debug logging by adding this
system property to the command line when running Keycloak:
-Djavax.net.debug=all
That should print lots of debugging info to the server log. You can
especially take a look what it's logging when you click "Test
Connection" for your LDAP provider in the admin console. Especially if
it uses truststore file as expected, if certificate looks as expected etc.
Hope it helps,
Marek
On 31/10/18 11:07, Mathieu Poussin wrote:
Hello Meissa.
So far I could not find a way to do it, the project is now in standby, if we can't
get it to work we will probably check for another solution, unfortunately.
Thanks.
Mathieu
---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho
<msakho(a)redhat.com> wrote ----
> Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa
> Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
> Hello Marek.
>
> I've done that already but looks like it is completely ignored.
> I have my custom truststore that have all my CA certificates (2), but I'm
still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin)
> Is there a way to make sure it has been loaded correctly? (I don't see any
error when the application starts but it's not working as expected)
>
> Thanks.
> Mathieu
>
>
> ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda
<mposolda(a)redhat.com> wrote ----
> > You can configure the Truststore SPI, which is mentioned in our docs
> > here:
> >
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> >
> > Some additional notes around LDAP are here:
> >
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> >
> > Marek
> >
> >
> > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > Hello.
> > >
> > > What would be the recommended way to add a custom CA certificates ?
The documentation has a lot of different ways and so far none of them worked :
> > >
> > > - The X509_CA_BUNDLE env variable thing (It's running in a
container), I can see the certificates in the JKS store but looks like they are
completely ignored by the app server.
> > > - Added custom SPI to load a custom JKS store, same, no error at
server start but they are completely ignored by the app server.
> > >
> > > This is the error I am getting :
> > >
> > > Caused by: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > at
sun.security.validator.Validator.validate(Validator.java:262)
> > > at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > > at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > > ... 99 more
> > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> > > at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > > at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > > at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > ... 105 more
> > >
> > >
> > > Another option would be to disable certificate verification on LDAPS
as it's a trusted environment (last resort but well so far nothing else worked), would
there be a way to do that?
> > > Connecting over LDAP is not an option a this prevent some features to
work like password reset.
> > >
> > > Thanks.
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9:33 p.m.
Mathieu, Meissa,
Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml instead of
standalone.xml by default. I guess this is why your truststore settings are being
ignored.
I've also tested Keycloak + LDAP + self-signed cert + truststore on a non-Docker
deployment - it works pretty well, so definitely not a Keycloak bug per se.
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
Hello Mathieu,
did you manage to make it work?
If yes, could you tell me how?
Meissa
> Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
> Hello Marek.
>
> I've done that already but looks like it is completely ignored.
> I have my custom truststore that have all my CA certificates (2), but I'm
> still seeing the same issue. (SPI is enabled on the LDAPS settings on the
> admin)
> Is there a way to make sure it has been loaded correctly? (I don't see any
> error when the application starts but it's not working as expected)
>
> Thanks.
> Mathieu
>
>
> ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
> mposolda(a)redhat.com> wrote ----
> > You can configure the Truststore SPI, which is mentioned in our docs
> > here:
> >
> https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> >
> > Some additional notes around LDAP are here:
> >
>
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> >
> > Marek
> >
> >
> > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > Hello.
> > >
> > > What would be the recommended way to add a custom CA certificates ?
> The documentation has a lot of different ways and so far none of them
> worked :
> > >
> > > - The X509_CA_BUNDLE env variable thing (It's running in a
> container), I can see the certificates in the JKS store but looks like
> they are completely ignored by the app server.
> > > - Added custom SPI to load a custom JKS store, same, no error at
> server start but they are completely ignored by the app server.
> > >
> > > This is the error I am getting :
> > >
> > > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> > > at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > at
> sun.security.validator.Validator.validate(Validator.java:262)
> > > at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>
> > > at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>
> > > at
>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>
> > > at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>
> > > ... 99 more
> > > Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> > > at
>
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>
> > > at
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>
> > > at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > ... 105 more
> > >
> > >
> > > Another option would be to disable certificate verification on LDAPS
> as it's a trusted environment (last resort but well so far nothing else
> worked), would there be a way to do that?
> > > Connecting over LDAP is not an option a this prevent some features to
> work like password reset.
> > >
> > > Thanks.
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:17 p.m.
I confirm this fixed the issue :)
So simple that I didn't think about it...
Thank you
---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt(a)acutus.pro> wrote ----
Mathieu, Meissa,
Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml instead of
standalone.xml by default. I guess this is why your truststore settings are being ignored.
I've also tested Keycloak + LDAP + self-signed cert + truststore on a non-Docker
deployment - it works pretty well, so definitely not a Keycloak bug per se.
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
> Hello Mathieu,
> did you manage to make it work?
> If yes, could you tell me how?
> Meissa
>
> > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
>
> > Hello Marek.
> >
> > I've done that already but looks like it is completely ignored.
> > I have my custom truststore that have all my CA certificates (2), but I'm
> > still seeing the same issue. (SPI is enabled on the LDAPS settings on the
> > admin)
> > Is there a way to make sure it has been loaded correctly? (I don't see any
> > error when the application starts but it's not working as expected)
> >
> > Thanks.
> > Mathieu
> >
> >
> > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
> > mposolda(a)redhat.com> wrote ----
> > > You can configure the Truststore SPI, which is mentioned in our docs
> > > here:
> > >
> > https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> > >
> > > Some additional notes around LDAP are here:
> > >
> >
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> > >
> > > Marek
> > >
> > >
> > > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > > Hello.
> > > >
> > > > What would be the recommended way to add a custom CA certificates ?
> > The documentation has a lot of different ways and so far none of them
> > worked :
> > > >
> > > > - The X509_CA_BUNDLE env variable thing (It's running in a
> > container), I can see the certificates in the JKS store but looks like
> > they are completely ignored by the app server.
> > > > - Added custom SPI to load a custom JKS store, same, no error at
> > server start but they are completely ignored by the app server.
> > > >
> > > > This is the error I am getting :
> > > >
> > > > Caused by: sun.security.validator.ValidatorException: PKIX path
> > building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> > valid certification path to requested target
> > > > at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > > at
> > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > > at
> > sun.security.validator.Validator.validate(Validator.java:262)
> > > > at
> > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> >
> > > > at
> >
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> >
> > > > at
> >
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> >
> > > > at
> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> >
> > > > ... 99 more
> > > > Caused by:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> > valid certification path to requested target
> > > > at
> >
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> >
> > > > at
> >
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> >
> > > > at
> > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > > at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > > ... 105 more
> > > >
> > > >
> > > > Another option would be to disable certificate verification on LDAPS
> > as it's a trusted environment (last resort but well so far nothing else
> > worked), would there be a way to do that?
> > > > Connecting over LDAP is not an option a this prevent some features
to
> > work like password reset.
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2:50 p.m.
My LDAPS configuration did also work fine with keycloak 3.3.5 docker image
My question was related to the The X509_CA_BUNDLE env variable that comes
with the keycloak 4.4.x docker image.
I would like to use it and wanted to know if it work.
Do I understand that it's working fine for you Mathieu?
Meissa
Le lun. 5 nov. 2018 à 12:17, Mathieu Poussin <me(a)mpouss.in> a écrit :
I confirm this fixed the issue :)
So simple that I didn't think about it...
Thank you
---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt(a)acutus.pro>
wrote ----
> Mathieu, Meissa,
>
> Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml
instead of standalone.xml by default. I guess this is why your truststore
settings are being ignored.
>
> I've also tested Keycloak + LDAP + self-signed cert + truststore on a
non-Docker deployment - it works pretty well, so definitely not a Keycloak
bug per se.
>
> Good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
> > Hello Mathieu,
> > did you manage to make it work?
> > If yes, could you tell me how?
> > Meissa
> >
> > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a
écrit :
> >
> > > Hello Marek.
> > >
> > > I've done that already but looks like it is completely ignored.
> > > I have my custom truststore that have all my CA certificates (2),
but I'm
> > > still seeing the same issue. (SPI is enabled on the LDAPS settings
on the
> > > admin)
> > > Is there a way to make sure it has been loaded correctly? (I don't
see any
> > > error when the application starts but it's not working as expected)
> > >
> > > Thanks.
> > > Mathieu
> > >
> > >
> > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
> > > mposolda(a)redhat.com> wrote ----
> > > > You can configure the Truststore SPI, which is mentioned in our
docs
> > > > here:
> > > >
> > >
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> > > >
> > > > Some additional notes around LDAP are here:
> > > >
> > >
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> > > >
> > > > Marek
> > > >
> > > >
> > > > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > > > Hello.
> > > > >
> > > > > What would be the recommended way to add a custom CA
certificates ?
> > > The documentation has a lot of different ways and so far none of
them
> > > worked :
> > > > >
> > > > > - The X509_CA_BUNDLE env variable thing (It's running in
a
> > > container), I can see the certificates in the JKS store but looks
like
> > > they are completely ignored by the app server.
> > > > > - Added custom SPI to load a custom JKS store, same, no error
at
> > > server start but they are completely ignored by the app server.
> > > > >
> > > > > This is the error I am getting :
> > > > >
> > > > > Caused by: sun.security.validator.ValidatorException: PKIX
path
> > > building failed:
> > > sun.security.provider.certpath.SunCertPathBuilderException: unable
to find
> > > valid certification path to requested target
> > > > > at
> > >
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > > > at
> > >
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > > > at
> > > sun.security.validator.Validator.validate(Validator.java:262)
> > > > > at
> > >
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > >
> > > > > at
> > >
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > >
> > > > > at
> > >
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > >
> > > > > at
> > >
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > >
> > > > > ... 99 more
> > > > > Caused by:
> > > sun.security.provider.certpath.SunCertPathBuilderException: unable
to find
> > > valid certification path to requested target
> > > > > at
> > >
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > >
> > > > > at
> > >
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > >
> > > > > at
> > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > > > at
> > >
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > > > ... 105 more
> > > > >
> > > > >
> > > > > Another option would be to disable certificate verification
on
LDAPS
> > > as it's a trusted environment (last resort but well so far nothing
else
> > > worked), would there be a way to do that?
> > > > > Connecting over LDAP is not an option a this prevent some
features to
> > > work like password reset.
> > > > >
> > > > > Thanks.
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user(a)lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > > >
> > > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
10:18 a.m.
Hi Mathieu,
Regarding your statement below:
- *The X509_CA_BUNDLE env variable thing (It's running in a container), I
can see the certificates in the JKS store *
Could you please tell me how you managed to see the certificates in the JKS
store?
Regards,
Meissa
Le mar. 6 nov. 2018 à 14:50, Meissa M'baye Sakho <msakho(a)redhat.com> a
écrit :
My LDAPS configuration did also work fine with keycloak 3.3.5 docker
image
My question was related to the The X509_CA_BUNDLE env variable that comes
with the keycloak 4.4.x docker image.
I would like to use it and wanted to know if it work.
Do I understand that it's working fine for you Mathieu?
Meissa
Le lun. 5 nov. 2018 à 12:17, Mathieu Poussin <me(a)mpouss.in> a écrit :
> I confirm this fixed the issue :)
>
> So simple that I didn't think about it...
>
> Thank you
>
> ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt(a)acutus.pro>
> wrote ----
> > Mathieu, Meissa,
> >
> > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml
> instead of standalone.xml by default. I guess this is why your truststore
> settings are being ignored.
> >
> > I've also tested Keycloak + LDAP + self-signed cert + truststore on a
> non-Docker deployment - it works pretty well, so definitely not a Keycloak
> bug per se.
> >
> > Good luck!
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info(a)acutus.pro
> >
> > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
> > > Hello Mathieu,
> > > did you manage to make it work?
> > > If yes, could you tell me how?
> > > Meissa
> > >
> > > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a
> écrit :
> > >
> > > > Hello Marek.
> > > >
> > > > I've done that already but looks like it is completely ignored.
> > > > I have my custom truststore that have all my CA certificates (2),
> but I'm
> > > > still seeing the same issue. (SPI is enabled on the LDAPS settings
> on the
> > > > admin)
> > > > Is there a way to make sure it has been loaded correctly? (I
don't
> see any
> > > > error when the application starts but it's not working as
> expected)
> > > >
> > > > Thanks.
> > > > Mathieu
> > > >
> > > >
> > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
> > > > mposolda(a)redhat.com> wrote ----
> > > > > You can configure the Truststore SPI, which is mentioned in
our
> docs
> > > > > here:
> > > > >
> > > >
> https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> > > > >
> > > > > Some additional notes around LDAP are here:
> > > > >
> > > >
>
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> > > > >
> > > > > Marek
> > > > >
> > > > >
> > > > > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > > > > Hello.
> > > > > >
> > > > > > What would be the recommended way to add a custom CA
> certificates ?
> > > > The documentation has a lot of different ways and so far none of
> them
> > > > worked :
> > > > > >
> > > > > > - The X509_CA_BUNDLE env variable thing (It's running
in a
> > > > container), I can see the certificates in the JKS store but looks
> like
> > > > they are completely ignored by the app server.
> > > > > > - Added custom SPI to load a custom JKS store, same, no
error
> at
> > > > server start but they are completely ignored by the app server.
> > > > > >
> > > > > > This is the error I am getting :
> > > > > >
> > > > > > Caused by: sun.security.validator.ValidatorException:
PKIX
> path
> > > > building failed:
> > > > sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find
> > > > valid certification path to requested target
> > > > > > at
> > > >
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > > > > at
> > > >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > > > > at
> > > > sun.security.validator.Validator.validate(Validator.java:262)
> > > > > > at
> > > >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>
> > > >
> > > > > > at
> > > >
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>
> > > >
> > > > > > at
> > > >
>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>
> > > >
> > > > > > at
> > > >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>
> > > >
> > > > > > ... 99 more
> > > > > > Caused by:
> > > > sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find
> > > > valid certification path to requested target
> > > > > > at
> > > >
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>
> > > >
> > > > > > at
> > > >
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>
> > > >
> > > > > > at
> > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > > > > at
> > > >
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > > > > ... 105 more
> > > > > >
> > > > > >
> > > > > > Another option would be to disable certificate
verification
> on LDAPS
> > > > as it's a trusted environment (last resort but well so far
nothing
> else
> > > > worked), would there be a way to do that?
> > > > > > Connecting over LDAP is not an option a this prevent some
> features to
> > > > work like password reset.
> > > > > >
> > > > > > Thanks.
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user(a)lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
10:47 a.m.
Hi Mathieu, I finally managed to see the certificates in the jks store.
I need to defind the outgoing https request and the truststore password is
required.
Did you find a way to get the truststore password?
Meissa
Le ven. 9 nov. 2018 à 10:18, Meissa M'baye Sakho <msakho(a)redhat.com> a
écrit :
Hi Mathieu,
Regarding your statement below:
- *The X509_CA_BUNDLE env variable thing (It's running in a container), I
can see the certificates in the JKS store *
Could you please tell me how you managed to see the certificates in the
JKS store?
Regards,
Meissa
Le mar. 6 nov. 2018 à 14:50, Meissa M'baye Sakho <msakho(a)redhat.com> a
écrit :
> My LDAPS configuration did also work fine with keycloak 3.3.5 docker image
> My question was related to the The X509_CA_BUNDLE env variable that
> comes with the keycloak 4.4.x docker image.
> I would like to use it and wanted to know if it work.
> Do I understand that it's working fine for you Mathieu?
> Meissa
>
> Le lun. 5 nov. 2018 à 12:17, Mathieu Poussin <me(a)mpouss.in> a écrit :
>
>> I confirm this fixed the issue :)
>>
>> So simple that I didn't think about it...
>>
>> Thank you
>>
>> ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin <dt(a)acutus.pro>
>> wrote ----
>> > Mathieu, Meissa,
>> >
>> > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml
>> instead of standalone.xml by default. I guess this is why your truststore
>> settings are being ignored.
>> >
>> > I've also tested Keycloak + LDAP + self-signed cert + truststore on a
>> non-Docker deployment - it works pretty well, so definitely not a Keycloak
>> bug per se.
>> >
>> > Good luck!
>> > Dmitry Telegin
>> > CTO, Acutus s.r.o.
>> > Keycloak Consulting and Training
>> >
>> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> > +42 (022) 888-30-71
>> > E-mail: info(a)acutus.pro
>> >
>> > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote:
>> > > Hello Mathieu,
>> > > did you manage to make it work?
>> > > If yes, could you tell me how?
>> > > Meissa
>> > >
>> > > > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in>
a
>> écrit :
>> > >
>> > > > Hello Marek.
>> > > >
>> > > > I've done that already but looks like it is completely
ignored.
>> > > > I have my custom truststore that have all my CA certificates
(2),
>> but I'm
>> > > > still seeing the same issue. (SPI is enabled on the LDAPS
>> settings on the
>> > > > admin)
>> > > > Is there a way to make sure it has been loaded correctly? (I
>> don't see any
>> > > > error when the application starts but it's not working as
>> expected)
>> > > >
>> > > > Thanks.
>> > > > Mathieu
>> > > >
>> > > >
>> > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
>> > > > mposolda(a)redhat.com> wrote ----
>> > > > > You can configure the Truststore SPI, which is mentioned
in
>> our docs
>> > > > > here:
>> > > > >
>> > > >
>> https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
>> > > > >
>> > > > > Some additional notes around LDAP are here:
>> > > > >
>> > > >
>>
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
>> > > > >
>> > > > > Marek
>> > > > >
>> > > > >
>> > > > > On 01/10/18 13:27, Mathieu Poussin wrote:
>> > > > > > Hello.
>> > > > > >
>> > > > > > What would be the recommended way to add a custom CA
>> certificates ?
>> > > > The documentation has a lot of different ways and so far none of
>> them
>> > > > worked :
>> > > > > >
>> > > > > > - The X509_CA_BUNDLE env variable thing (It's
running in a
>> > > > container), I can see the certificates in the JKS store but
>> looks like
>> > > > they are completely ignored by the app server.
>> > > > > > - Added custom SPI to load a custom JKS store, same,
no
>> error at
>> > > > server start but they are completely ignored by the app server.
>> > > > > >
>> > > > > > This is the error I am getting :
>> > > > > >
>> > > > > > Caused by: sun.security.validator.ValidatorException:
PKIX
>> path
>> > > > building failed:
>> > > > sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find
>> > > > valid certification path to requested target
>> > > > > > at
>> > > >
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>> > > > > > at
>> > > >
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
>> > > > > > at
>> > > > sun.security.validator.Validator.validate(Validator.java:262)
>> > > > > > at
>> > > >
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>>
>> > > >
>> > > > > > at
>> > > >
>>
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>>
>> > > >
>> > > > > > at
>> > > >
>>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>>
>> > > >
>> > > > > > at
>> > > >
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>>
>> > > >
>> > > > > > ... 99 more
>> > > > > > Caused by:
>> > > > sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find
>> > > > valid certification path to requested target
>> > > > > > at
>> > > >
>>
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>>
>> > > >
>> > > > > > at
>> > > >
>>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>>
>> > > >
>> > > > > > at
>> > > >
>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> > > > > > at
>> > > >
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>> > > > > > ... 105 more
>> > > > > >
>> > > > > >
>> > > > > > Another option would be to disable certificate
verification
>> on LDAPS
>> > > > as it's a trusted environment (last resort but well so far
>> nothing else
>> > > > worked), would there be a way to do that?
>> > > > > > Connecting over LDAP is not an option a this prevent
some
>> features to
>> > > > work like password reset.
>> > > > > >
>> > > > > > Thanks.
>> > > > > >
>> > > > > >
>> > > > > > _______________________________________________
>> > > > > > keycloak-user mailing list
>> > > > > > keycloak-user(a)lists.jboss.org
>> > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > > >
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user(a)lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user(a)lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>>
>>
1985
days inactive
2027
days old
12 comments
5 participants
participants (5)
-
Dmitry Telegin -
Jan Lieskovsky -
Marek Posolda -
Mathieu Poussin -
Meissa M'baye Sakho