Hello Jan.
Thank you for your message.
In my case this is not deployed over OpenShift, but on a single host through Docker, we
use our own docker image on top of the official one to add our own theme and .keystore.
I confirm that the certificates are in our custom keystore (checked with keytool -list),
this is what we do in our Dockerfile :
FROM jboss/keycloak:4.5.0.Final
ADD themes/xxx /opt/jboss/keycloak/themes/xxx
ADD certs/xxx.keystore /opt/jboss/keycloak/standalone/configuration/xxx.keystore
ADD configuration/standalone.xml
/opt/jboss/keycloak/standalone/configuration/standalone.xml
And the SPI we are adding in the standalone.xml :
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file"
value="/opt/jboss/keycloak/standalone/configuration/xxx.keystore" />
<property name="password" value="xxx" />
<property name="hostname-verification-policy"
value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
But no luck so far.
---- On Wed, 31 Oct 2018 11:29:07 +0100 Jan Lieskovsky <jlieskov(a)redhat.com> wrote
----
Hey Mathieu, Meissa,
(just quickly to double-check,) what's the template name you have deployed RH-SSO
for OpenShift image from? (assuming this is issue on OpenShift)
If the "sso72-x509-https" one (or some of *-x509-* based ones) was used to
deploy the RH-SSO server pod, this won't work. Reason being the *-x509-* are
configured in the way, to auto-generate the RH-SSO truststore (use the defaults, and let
the user not to need to supply this). Even if custom truststore / cert is supplied, the
default one will be used. AFAICT this isn't configurable (since wasn't intended to
be).
If you want the custom cert / truststore to be actually honoured, you need to deploy the
RH-SSO pod from some other (some of the passthrough TLS based templates, not the x509
re-encrypt TLS ones).
I will file JIRAs to:Mention this *-x509-* template deficiency in the templates,
RFE to get the *-x509-* ones to honour custom certificates, if supplied.
HTH & Sorry for the inconvenience
Thank you && Regards, Jan--Jan iankko Lieskovsky / Keycloak / RH-SSO Team
On Wed, Oct 31, 2018 at 11:17 AM Mathieu Poussin <me(a)mpouss.in> wrote:
Hello Meissa.
So far I could not find a way to do it, the project is now in standby, if we can't
get it to work we will probably check for another solution, unfortunately.
Thanks.
Mathieu
---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho
<msakho(a)redhat.com> wrote ----
> Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa
> Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me(a)mpouss.in> a écrit :
> Hello Marek.
>
> I've done that already but looks like it is completely ignored.
> I have my custom truststore that have all my CA certificates (2), but I'm
still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin)
> Is there a way to make sure it has been loaded correctly? (I don't see any
error when the application starts but it's not working as expected)
>
> Thanks.
> Mathieu
>
>
> ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda
<mposolda(a)redhat.com> wrote ----
> > You can configure the Truststore SPI, which is mentioned in our docs
> > here:
> >
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> >
> > Some additional notes around LDAP are here:
> >
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-l...
> >
> > Marek
> >
> >
> > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > Hello.
> > >
> > > What would be the recommended way to add a custom CA certificates ?
The documentation has a lot of different ways and so far none of them worked :
> > >
> > > - The X509_CA_BUNDLE env variable thing (It's running in a
container), I can see the certificates in the JKS store but looks like they are
completely ignored by the app server.
> > > - Added custom SPI to load a custom JKS store, same, no error at
server start but they are completely ignored by the app server.
> > >
> > > This is the error I am getting :
> > >
> > > Caused by: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > at
sun.security.validator.Validator.validate(Validator.java:262)
> > > at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > > at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > > at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > > ... 99 more
> > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> > > at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > > at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > > at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > ... 105 more
> > >
> > >
> > > Another option would be to disable certificate verification on LDAPS
as it's a trusted environment (last resort but well so far nothing else worked), would
there be a way to do that?
> > > Connecting over LDAP is not an option a this prevent some features to
work like password reset.
> > >
> > > Thanks.
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user