7:09 a.m.
Hi, i'm getting the error below when I try to login with Facebook.
I've followed the instructions at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
and
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
I was able to login with Facebook when trying at localhost. But at our development server
we are getting this error.
We are using EAP in domain mode.
The truststore I placed inside of keycloak-server.json
"truststore": {
"file": {
"file": "/home/soa/jboss/ssl/keycloak.jks",
"password": "keycloak123",
"hostname-verification-policy": "ANY",
"disabled": false
}
}
#######
ERRO:
2016-02-11 10:44:53,927 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth callback:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) [jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
[jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
[jsse.jar:1.8.0_45]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
[rt.jar:1.8.0_45]
at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_45]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
[keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [rt.jar:1.8.0_45]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
[rt.jar:1.8.0_45]
at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
[jsse.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
[jsse.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
[jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
[jsse.jar:1.8.0_45]
... 50 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
[rt.jar:1.8.0_45]
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
[rt.jar:1.8.0_45]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [rt.jar:1.8.0_45]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) [rt.jar:1.8.0_45]
... 56 more
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o
destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou
divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es.
Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente,
respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the
addressee or authorized to receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any information herein. If you have
received this message in error, please advise the sender immediately by reply e-mail and
delete this message. Thank you for your cooperation
8:23 a.m.
Does it work if you don't specify the truststore? That will use the default
truststore provided by the JDK.
Also, does your truststore contain the required CA certs? For Facebook to
work it'll have to contain the required CA's for their certs
On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
wrote:
Hi, i'm getting the error below when I try to login with
Facebook.
I've followed the instructions at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
and
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
I was able to login with Facebook when trying at localhost. But at our
development server we are getting this error.
We are using EAP in domain mode.
The truststore I placed inside of keycloak-server.json
"truststore": {
"file": {
"file": "/home/soa/jboss/ssl/keycloak.jks",
"password": "keycloak123",
"hostname-verification-policy": "ANY",
"disabled": false
}
}
#######
ERRO:
2016-02-11 10:44:53,927 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
callback: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
[jsse.jar:1.8.0_45]
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
[rt.jar:1.8.0_45]
at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.8.0_45]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_45]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
[keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
[rt.jar:1.8.0_45]
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
[rt.jar:1.8.0_45]
at sun.security.validator.Validator.validate(Validator.java:260)
[rt.jar:1.8.0_45]
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
[jsse.jar:1.8.0_45]
... 50 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
[rt.jar:1.8.0_45]
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
[rt.jar:1.8.0_45]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
[rt.jar:1.8.0_45]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
[rt.jar:1.8.0_45]
... 56 more
--
Leonardo Nunes
------------------------------
*Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
não poderá usar, copiar ou divulgar as informações nela contidas ou tomar
qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
engano, por favor avise imediatamente o remetente, respondendo o e-mail e
em seguida apague-o. Agradecemos sua cooperação. This message may contain
confidential and/or privileged information. If you are not the addressee or
authorized to receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any information
herein. If you have received this message in error, please advise the
sender immediately by reply e-mail and delete this message. Thank you for
your cooperation*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:07 a.m.
Facebook certificate should be signed by trusted authority, so it works
with default JDK truststore. At least for me it always works.
Shouldn't truststore SPI use both provided file + default JDK truststore
by default? We may have flag to disable default JDK truststore, but not
sure if it's ever needed. Also shouldn't we rewrite SimpleHTTP to use
Apache HTTP client provided by HttpClientProvider SPI?
Marek
On 11/02/16 15:23, Stian Thorgersen wrote:
Does it work if you don't specify the truststore? That will use
the
default truststore provided by the JDK.
Also, does your truststore contain the required CA certs? For Facebook
to work it'll have to contain the required CA's for their certs
On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br
<mailto:leo.nunes@gjccorp.com.br>> wrote:
Hi, i'm getting the error below when I try to login with Facebook.
I've followed the instructions at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
and
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
I was able to login with Facebook when trying at localhost. But at
our development server we are getting this error.
We are using EAP in domain mode.
The truststore I placed inside of keycloak-server.json
"truststore": {
"file": {
"file": "/home/soa/jboss/ssl/keycloak.jks",
"password": "keycloak123",
"hostname-verification-policy": "ANY",
"disabled": false
}
}
#######
ERRO:
2016-02-11 10:44:53,927 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(ajp-/192.168.162.73:8008-1) Failed to make identity provider
oauth callback: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building
failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
[jsse.jar:1.8.0_45]
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
[rt.jar:1.8.0_45]
at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.8.0_45]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_45]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
[keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
[rt.jar:1.8.0_45]
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
[rt.jar:1.8.0_45]
at sun.security.validator.Validator.validate(Validator.java:260)
[rt.jar:1.8.0_45]
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
[jsse.jar:1.8.0_45]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
[jsse.jar:1.8.0_45]
... 50 more
Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
[rt.jar:1.8.0_45]
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
[rt.jar:1.8.0_45]
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
[rt.jar:1.8.0_45]
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
[rt.jar:1.8.0_45]
... 56 more
--
Leonardo Nunes
------------------------------------------------------------------------
/Esta mensagem pode conter informação confidencial e/ou
privilegiada. Se você não for o destinatário ou a pessoa
autorizada a receber esta mensagem, não poderá usar, copiar ou
divulgar as informações nela contidas ou tomar qualquer ação
baseada nessas informações. Se você recebeu esta mensagem por
engano, por favor avise imediatamente o remetente, respondendo o
e-mail e em seguida apague-o. Agradecemos sua cooperação.
This message may contain confidential and/or privileged
information. If you are not the addressee or authorized to receive
this for the addressee, you must not use, copy, disclose or take
any action based on this message or any information herein. If you
have received this message in error, please advise the sender
immediately by reply e-mail and delete this message. Thank you for
your cooperation/
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:56 a.m.
On 12 February 2016 at 08:07, Marek Posolda <mposolda(a)redhat.com> wrote:
Facebook certificate should be signed by trusted authority, so it
works
with default JDK truststore. At least for me it always works.
Shouldn't truststore SPI use both provided file + default JDK truststore
by default? We may have flag to disable default JDK truststore, but not
sure if it's ever needed. Also shouldn't we rewrite SimpleHTTP to use
Apache HTTP client provided by HttpClientProvider SPI?
+1 To both
SimpleHTTP was only introduced when we where talking about having the
social providers a generic library, but now they aren't there's no point to
SimpleHTTP anymore.
Marek
On 11/02/16 15:23, Stian Thorgersen wrote:
Does it work if you don't specify the truststore? That will use the
default truststore provided by the JDK.
Also, does your truststore contain the required CA certs? For Facebook to
work it'll have to contain the required CA's for their certs
On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
wrote:
> Hi, i'm getting the error below when I try to login with Facebook.
> I've followed the instructions at
>
<http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> and
>
<http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>
> I was able to login with Facebook when trying at localhost. But at our
> development server we are getting this error.
>
> We are using EAP in domain mode.
>
> The truststore I placed inside of keycloak-server.json
> "truststore": {
> "file": {
> "file": "/home/soa/jboss/ssl/keycloak.jks",
> "password": "keycloak123",
> "hostname-verification-policy": "ANY",
> "disabled": false
> }
> }
>
>
> #######
>
> ERRO:
>
>
> 2016-02-11 10:44:53,927 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
> callback: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> [jsse.jar:1.8.0_45]
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> [rt.jar:1.8.0_45]
> at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
> at
>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.8.0_45]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> [rt.jar:1.8.0_45]
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.8.0_45]
> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> [rt.jar:1.8.0_45]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> [rt.jar:1.8.0_45]
> at sun.security.validator.Validator.validate(Validator.java:260)
> [rt.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> [jsse.jar:1.8.0_45]
> at
>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> [jsse.jar:1.8.0_45]
> ... 50 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> [rt.jar:1.8.0_45]
> at
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> [rt.jar:1.8.0_45]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> [rt.jar:1.8.0_45]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> [rt.jar:1.8.0_45]
> ... 56 more
>
>
>
>
>
> --
> Leonardo Nunes
> ------------------------------
>
>
> *Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
> você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
> não poderá usar, copiar ou divulgar as informações nela contidas ou tomar
> qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
> engano, por favor avise imediatamente o remetente, respondendo o e-mail e
> em seguida apague-o. Agradecemos sua cooperação. This message may contain
> confidential and/or privileged information. If you are not the addressee or
> authorized to receive this for the addressee, you must not use, copy,
> disclose or take any action based on this message or any information
> herein. If you have received this message in error, please advise the
> sender immediately by reply e-mail and delete this message. Thank you for
> your cooperation*
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
3:04 a.m.
When using 'truststore' provider it is up to you to make sure to
include all the certificates you trust. Configuration via
-Djavax.net.ssl.trustStore works the same - no automatic inclusion of
cacerts. But it sounds like a good usability feature to add a flag
that would automatically include cacerts as well. The problem is - it
happens occasionally that some CAs turn out not to be trustworthy, and
blindly importing all cacerts exposes you to that risk.
One detail to emphasize, with third party not-self-signed certificates
it's important to include the CA certificate used to create the
specific server certificate, rather than the server certificate
itself. Facebook servers use different short-lived server certificates
- and with two consecutive requests you may be presented with two
different server certificates - but they are all issued by the same
long-lived trusted CA.
On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
Facebook certificate should be signed by trusted authority, so it
works with
default JDK truststore. At least for me it always works.
Shouldn't truststore SPI use both provided file + default JDK truststore by
default? We may have flag to disable default JDK truststore, but not sure if
it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP
client provided by HttpClientProvider SPI?
Marek
On 11/02/16 15:23, Stian Thorgersen wrote:
Does it work if you don't specify the truststore? That will use the default
truststore provided by the JDK.
Also, does your truststore contain the required CA certs? For Facebook to
work it'll have to contain the required CA's for their certs
On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
wrote:
>
> Hi, i'm getting the error below when I try to login with Facebook.
> I've followed the instructions at
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> and
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>
> I was able to login with Facebook when trying at localhost. But at our
> development server we are getting this error.
>
> We are using EAP in domain mode.
>
> The truststore I placed inside of keycloak-server.json
> "truststore": {
> "file": {
> "file": "/home/soa/jboss/ssl/keycloak.jks",
> "password": "keycloak123",
> "hostname-verification-policy": "ANY",
> "disabled": false
> }
> }
>
>
> #######
>
> ERRO:
>
>
> 2016-02-11 10:44:53,927 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
> callback: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> [jsse.jar:1.8.0_45]
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> [rt.jar:1.8.0_45]
> at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
> at
>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.8.0_45]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> [rt.jar:1.8.0_45]
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.8.0_45]
> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> [rt.jar:1.8.0_45]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> [rt.jar:1.8.0_45]
> at sun.security.validator.Validator.validate(Validator.java:260)
> [rt.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> [jsse.jar:1.8.0_45]
> at
>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> [jsse.jar:1.8.0_45]
> ... 50 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> [rt.jar:1.8.0_45]
> at
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> [rt.jar:1.8.0_45]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> [rt.jar:1.8.0_45]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> [rt.jar:1.8.0_45]
> ... 56 more
>
>
>
>
>
> --
> Leonardo Nunes
> ________________________________
> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
> você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
> não poderá usar, copiar ou divulgar as informações nela contidas ou tomar
> qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
> engano, por favor avise imediatamente o remetente, respondendo o e-mail e em
> seguida apague-o. Agradecemos sua cooperação.
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose or take any action based on this message or
> any information herein. If you have received this message in error, please
> advise the sender immediately by reply e-mail and delete this message. Thank
> you for your cooperation
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:43 a.m.
On 12 February 2016 at 10:04, Marko Strukelj <mstrukel(a)redhat.com> wrote:
When using 'truststore' provider it is up to you to make sure
to
include all the certificates you trust. Configuration via
-Djavax.net.ssl.trustStore works the same - no automatic inclusion of
cacerts. But it sounds like a good usability feature to add a flag
that would automatically include cacerts as well. The problem is - it
happens occasionally that some CAs turn out not to be trustworthy, and
blindly importing all cacerts exposes you to that risk.
How about having a flag that is enabled by default that includes cacerts
from Java? I'd actually think that update from CA certs are more likely
going to happen by updating Java rather than manually maintaining a
truststore.
One detail to emphasize, with third party not-self-signed
certificates
it's important to include the CA certificate used to create the
specific server certificate, rather than the server certificate
itself. Facebook servers use different short-lived server certificates
- and with two consecutive requests you may be presented with two
different server certificates - but they are all issued by the same
long-lived trusted CA.
On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> Facebook certificate should be signed by trusted authority, so it works
with
> default JDK truststore. At least for me it always works.
>
> Shouldn't truststore SPI use both provided file + default JDK truststore
by
> default? We may have flag to disable default JDK truststore, but not
sure if
> it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP
> client provided by HttpClientProvider SPI?
>
> Marek
>
>
> On 11/02/16 15:23, Stian Thorgersen wrote:
>
> Does it work if you don't specify the truststore? That will use the
default
> truststore provided by the JDK.
>
> Also, does your truststore contain the required CA certs? For Facebook to
> work it'll have to contain the required CA's for their certs
>
> On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
> wrote:
>>
>> Hi, i'm getting the error below when I try to login with Facebook.
>> I've followed the instructions at
>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>> and
>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>>
>> I was able to login with Facebook when trying at localhost. But at our
>> development server we are getting this error.
>>
>> We are using EAP in domain mode.
>>
>> The truststore I placed inside of keycloak-server.json
>> "truststore": {
>> "file": {
>> "file": "/home/soa/jboss/ssl/keycloak.jks",
>> "password": "keycloak123",
>> "hostname-verification-policy": "ANY",
>> "disabled": false
>> }
>> }
>>
>>
>> #######
>>
>> ERRO:
>>
>>
>> 2016-02-11 10:44:53,927 ERROR
>> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
>> callback: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
>> valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> [jsse.jar:1.8.0_45]
>> at
>>
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
>> [jsse.jar:1.8.0_45]
>> at
>>
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
>> [jsse.jar:1.8.0_45]
>> at
>>
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
>> [jsse.jar:1.8.0_45]
>> at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
>> [jsse.jar:1.8.0_45]
>> at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
>> [jsse.jar:1.8.0_45]
>> at
>>
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>> [rt.jar:1.8.0_45]
>> at
>>
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
>> at
>>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> [rt.jar:1.8.0_45]
>> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>> at
>>
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
>> at
>>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
>> at
>>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
>> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
>> at
>>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>>
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable
>> to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> [rt.jar:1.8.0_45]
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> [jsse.jar:1.8.0_45]
>> at
>>
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>> [jsse.jar:1.8.0_45]
>> at
>>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>> [jsse.jar:1.8.0_45]
>> at
>>
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
>> [jsse.jar:1.8.0_45]
>> ... 50 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>>
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
>> [rt.jar:1.8.0_45]
>> at
>>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
>> [rt.jar:1.8.0_45]
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> [rt.jar:1.8.0_45]
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>> [rt.jar:1.8.0_45]
>> ... 56 more
>>
>>
>>
>>
>>
>> --
>> Leonardo Nunes
>> ________________________________
>> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
>> você não for o destinatário ou a pessoa autorizada a receber esta
mensagem,
>> não poderá usar, copiar ou divulgar as informações nela contidas ou
tomar
>> qualquer ação baseada nessas informações. Se você recebeu esta mensagem
por
>> engano, por favor avise imediatamente o remetente, respondendo o e-mail
e em
>> seguida apague-o. Agradecemos sua cooperação.
>>
>> This message may contain confidential and/or privileged information. If
>> you are not the addressee or authorized to receive this for the
addressee,
>> you must not use, copy, disclose or take any action based on this
message or
>> any information herein. If you have received this message in error,
please
>> advise the sender immediately by reply e-mail and delete this message.
Thank
>> you for your cooperation
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
4:44 a.m.
We could add such a flag, don't know how hard it would be to implement.
In principle I agree about CA cert updates. But they are many, and for
your customized truststore you may add only a few, and for big-name
services. If CAs are revoked, then your integration will stop working
as those services will start using new certs that you don't have in
your truststore.
It's quite unlikely OTOH to notice one of the 100 trusted-by-default
CA that you never connect to, that can one day be used to forge a
certificate for one of the services that you do use - that one you
won't notice until you update Java.
6:10 a.m.
It worked for me, now I can login with Facebook.
I had to export 3 root CA's from the default java cacerts keystore, them
import them into my keystore.
This is not the best way to fix the problem, but until we don't have a
flag on keycloak to indicate we want to use both our keystore and java
keystore this will work.
Certificates to export:
digicertglobalrootca
digicertassuredidrootca
digicerthighassuranceevrootca
How to export:
keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicertglobalrootca.crt
keytool -exportcert -alias digicertassuredidrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicertassuredidrootca.crt
keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt
How to import into another keystore:
keytool -import -trustcacerts -alias digicertglobalrootca -keystore
jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicertglobalrootca.crt
keytool -import -trustcacerts -alias digicertassuredidrootca -keystore
jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicertassuredidrootca.crt
keytool -import -trustcacerts -alias digicerthighassuranceevrootca
-keystore jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt
On 12/02/16 08:44, "Marko Strukelj" <mstrukel(a)redhat.com> wrote:
We could add such a flag, don't know how hard it would be to
implement.
In principle I agree about CA cert updates. But they are many, and for
your customized truststore you may add only a few, and for big-name
services. If CAs are revoked, then your integration will stop working
as those services will start using new certs that you don't have in
your truststore.
It's quite unlikely OTOH to notice one of the 100 trusted-by-default
CA that you never connect to, that can one day be used to forge a
certificate for one of the services that you do use - that one you
won't notice until you update Java.
________________________________
Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
você não for o destinatário ou a pessoa autorizada a receber esta
mensagem, não poderá usar, copiar ou divulgar as informações nela
contidas ou tomar qualquer ação baseada nessas informações. Se você
recebeu esta mensagem por engano, por favor avise imediatamente o
remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua
cooperação.
This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based on
this message or any information herein. If you have received this message
in error, please advise the sender immediately by reply e-mail and delete
this message. Thank you for your cooperation
4:49 a.m.
1+ to include cacerts from Java by default.
From: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Reply-To: "stian@redhat.com<mailto:stian@redhat.com>"
<stian@redhat.com<mailto:stian@redhat.com>>
Date: sexta-feira, 12 de fevereiro de 2016 07:43
To: Marko Strukelj <mstrukel@redhat.com<mailto:mstrukel@redhat.com>>
Cc: Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>>, Leonardo
Nunes <leo.nunes@gjccorp.com.br<mailto:leo.nunes@gjccorp.com.br>>,
"keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Failed to make identity provider oauth callback:
javax.net.ssl.SSLHandshakeException
On 12 February 2016 at 10:04, Marko Strukelj
<mstrukel@redhat.com<mailto:mstrukel@redhat.com>> wrote:
When using 'truststore' provider it is up to you to make sure to
include all the certificates you trust. Configuration via
-Djavax.net.ssl.trustStore works the same - no automatic inclusion of
cacerts. But it sounds like a good usability feature to add a flag
that would automatically include cacerts as well. The problem is - it
happens occasionally that some CAs turn out not to be trustworthy, and
blindly importing all cacerts exposes you to that risk.
How about having a flag that is enabled by default that includes cacerts from Java?
I'd actually think that update from CA certs are more likely going to happen by
updating Java rather than manually maintaining a truststore.
One detail to emphasize, with third party not-self-signed certificates
it's important to include the CA certificate used to create the
specific server certificate, rather than the server certificate
itself. Facebook servers use different short-lived server certificates
- and with two consecutive requests you may be presented with two
different server certificates - but they are all issued by the same
long-lived trusted CA.
On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda
<mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote:
Facebook certificate should be signed by trusted authority, so it
works with
default JDK truststore. At least for me it always works.
Shouldn't truststore SPI use both provided file + default JDK truststore by
default? We may have flag to disable default JDK truststore, but not sure if
it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP
client provided by HttpClientProvider SPI?
Marek
On 11/02/16 15:23, Stian Thorgersen wrote:
Does it work if you don't specify the truststore? That will use the default
truststore provided by the JDK.
Also, does your truststore contain the required CA certs? For Facebook to
work it'll have to contain the required CA's for their certs
On 11 February 2016 at 14:09, LEONARDO NUNES
<leo.nunes@gjccorp.com.br<mailto:leo.nunes@gjccorp.com.br>>
wrote:
>
> Hi, i'm getting the error below when I try to login with Facebook.
> I've followed the instructions at
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> and
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
>
> I was able to login with Facebook when trying at localhost. But at our
> development server we are getting this error.
>
> We are using EAP in domain mode.
>
> The truststore I placed inside of keycloak-server.json
> "truststore": {
> "file": {
> "file": "/home/soa/jboss/ssl/keycloak.jks",
> "password": "keycloak123",
> "hostname-verification-policy": "ANY",
> "disabled": false
> }
> }
>
>
> #######
>
> ERRO:
>
>
> 2016-02-11 10:44:53,927 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
> callback: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> [jsse.jar:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> [jsse.jar:1.8.0_45]
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> [rt.jar:1.8.0_45]
> at
>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> [rt.jar:1.8.0_45]
> at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
> at
>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.8.0_45]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> [rt.jar:1.8.0_45]
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.8.0_45]
> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
> at
>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> [rt.jar:1.8.0_45]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> [rt.jar:1.8.0_45]
> at sun.security.validator.Validator.validate(Validator.java:260)
> [rt.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> [jsse.jar:1.8.0_45]
> at
>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> [jsse.jar:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> [jsse.jar:1.8.0_45]
> ... 50 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> [rt.jar:1.8.0_45]
> at
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> [rt.jar:1.8.0_45]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> [rt.jar:1.8.0_45]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> [rt.jar:1.8.0_45]
> ... 56 more
>
>
>
>
>
> --
> Leonardo Nunes
> ________________________________
> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
> você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
> não poderá usar, copiar ou divulgar as informações nela contidas ou tomar
> qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
> engano, por favor avise imediatamente o remetente, respondendo o e-mail e em
> seguida apague-o. Agradecemos sua cooperação.
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose or take any action based on this message or
> any information herein. If you have received this message in error, please
> advise the sender immediately by reply e-mail and delete this message. Thank
> you for your cooperation
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:16 a.m.
Security is always at odds with convenience :)
For Facebook you can prepare your truststore like this:
curl http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
~/digicertsha2high.crt
keytool -importcert -keystore
truststore.jks -storetype JKS -file
~/digicertsha2high.crt -alias digicertSHA2HighCA
How I came to this?
By inspecting the certificate returned by Facebook you find it's issuer:
openssl s_client -connect graph.facebook.com:443 -showcerts </dev/null
2>/dev/null|openssl x509 -outform PEM > ~/graph.facebook.com.pem
keytool -importcert -keystore tempstore.jks -storetype JKS -file
~/graph.facebook.com.pem -alias facebook.com
(type some password, and inspect the certificate - no need to confirm it)
In certificate details there is URL to issuer CA certificate I used above.
It is issuer CA that your want in your truststore, rather than
graph.facebook.com certificate. That certificate is also part of
cacerts file where all the certificate trusted by default are located.
Which is the next point - it's easy to manually start with default
truststore, rather than empty one. Just copy the default truststore
and change its password:
cp $JAVA_HOME/jre/lib/security/cacerts truststore.jks
keytool -keystore truststore.jks -storepasswd
When asked for password type: 'changeit' - that's java truststore's
password.
When asked for new password type whatever you want.
That's all there is to it.
On Fri, Feb 12, 2016 at 11:49 AM, LEONARDO NUNES
<leo.nunes(a)gjccorp.com.br> wrote:
1+ to include cacerts from Java by default.
From: Stian Thorgersen <sthorger(a)redhat.com>
Reply-To: "stian(a)redhat.com" <stian(a)redhat.com>
Date: sexta-feira, 12 de fevereiro de 2016 07:43
To: Marko Strukelj <mstrukel(a)redhat.com>
Cc: Marek Posolda <mposolda(a)redhat.com>, Leonardo Nunes
<leo.nunes(a)gjccorp.com.br>, "keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Failed to make identity provider oauth
callback: javax.net.ssl.SSLHandshakeException
On 12 February 2016 at 10:04, Marko Strukelj <mstrukel(a)redhat.com> wrote:
>
> When using 'truststore' provider it is up to you to make sure to
> include all the certificates you trust. Configuration via
> -Djavax.net.ssl.trustStore works the same - no automatic inclusion of
> cacerts. But it sounds like a good usability feature to add a flag
> that would automatically include cacerts as well. The problem is - it
> happens occasionally that some CAs turn out not to be trustworthy, and
> blindly importing all cacerts exposes you to that risk.
How about having a flag that is enabled by default that includes cacerts
from Java? I'd actually think that update from CA certs are more likely
going to happen by updating Java rather than manually maintaining a
truststore.
>
> One detail to emphasize, with third party not-self-signed certificates
> it's important to include the CA certificate used to create the
> specific server certificate, rather than the server certificate
> itself. Facebook servers use different short-lived server certificates
> - and with two consecutive requests you may be presented with two
> different server certificates - but they are all issued by the same
> long-lived trusted CA.
>
>
>
> On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
> > Facebook certificate should be signed by trusted authority, so it works
> > with
> > default JDK truststore. At least for me it always works.
> >
> > Shouldn't truststore SPI use both provided file + default JDK truststore
> > by
> > default? We may have flag to disable default JDK truststore, but not
> > sure if
> > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache
> > HTTP
> > client provided by HttpClientProvider SPI?
> >
> > Marek
> >
> >
> > On 11/02/16 15:23, Stian Thorgersen wrote:
> >
> > Does it work if you don't specify the truststore? That will use the
> > default
> > truststore provided by the JDK.
> >
> > Also, does your truststore contain the required CA certs? For Facebook
> > to
> > work it'll have to contain the required CA's for their certs
> >
> > On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
> > wrote:
> >>
> >> Hi, i'm getting the error below when I try to login with Facebook.
> >> I've followed the instructions at
> >>
> >>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> >> and
> >>
> >>
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> >>
> >> I was able to login with Facebook when trying at localhost. But at our
> >> development server we are getting this error.
> >>
> >> We are using EAP in domain mode.
> >>
> >> The truststore I placed inside of keycloak-server.json
> >> "truststore": {
> >> "file": {
> >> "file": "/home/soa/jboss/ssl/keycloak.jks",
> >> "password": "keycloak123",
> >> "hostname-verification-policy": "ANY",
> >> "disabled": false
> >> }
> >> }
> >>
> >>
> >> #######
> >>
> >> ERRO:
> >>
> >>
> >> 2016-02-11 10:44:53,927 ERROR
> >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
> >> callback: javax.net.ssl.SSLHandshakeException:
> >> sun.security.validator.ValidatorException: PKIX path building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> >> find
> >> valid certification path to requested target
> >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> >>
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> >>
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> >> [jsse.jar:1.8.0_45]
> >> at
> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> >> [jsse.jar:1.8.0_45]
> >> at
> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
> >> at
> >>
> >>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> [rt.jar:1.8.0_45]
> >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
> >> at
> >>
> >>
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> >>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> >>
> >> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
> >> at
> >>
> >>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
> >> at
> >>
> >>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
> >> at
> >>
> >>
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
> >> at
> >>
> >>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
> >> at
> >>
> >>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> >>
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
> >> Caused by: sun.security.validator.ValidatorException: PKIX path
> >> building
> >> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> >> unable
> >> to find valid certification path to requested target
> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> >> [rt.jar:1.8.0_45]
> >> at sun.security.validator.Validator.validate(Validator.java:260)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> >>
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> >>
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> >>
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> >> [jsse.jar:1.8.0_45]
> >> ... 50 more
> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> >> unable to find valid certification path to requested target
> >> at
> >>
> >>
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> >>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> >> [rt.jar:1.8.0_45]
> >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> >> [rt.jar:1.8.0_45]
> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> >> [rt.jar:1.8.0_45]
> >> ... 56 more
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Leonardo Nunes
> >> ________________________________
> >> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
> >> você não for o destinatário ou a pessoa autorizada a receber esta
> >> mensagem,
> >> não poderá usar, copiar ou divulgar as informações nela contidas ou
> >> tomar
> >> qualquer ação baseada nessas informações. Se você recebeu esta mensagem
> >> por
> >> engano, por favor avise imediatamente o remetente, respondendo o e-mail
> >> e em
> >> seguida apague-o. Agradecemos sua cooperação.
> >>
> >> This message may contain confidential and/or privileged information. If
> >> you are not the addressee or authorized to receive this for the
> >> addressee,
> >> you must not use, copy, disclose or take any action based on this
> >> message or
> >> any information herein. If you have received this message in error,
> >> please
> >> advise the sender immediately by reply e-mail and delete this message.
> >> Thank
> >> you for your cooperation
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
4:47 a.m.
Stian, at our EAP init opts we have the -Djavax.net.ssl.trustStore= pointing to a .jks
file that have a certificate for the hosts of our domain to communicate.
If I don't specify the -Djavax.net.ssl.trustStore= then Facebook login works fine with
the one provided by the JDK.
I tried to find out which are the required CA's for Facebook, so I could add it to my
truststore but I couldn't find.
Could you please help me with that?
I added a valid certificate to our truststore and still get the same error.
From: Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>>
Reply-To: "stian@redhat.com<mailto:stian@redhat.com>"
<stian@redhat.com<mailto:stian@redhat.com>>
Date: quinta-feira, 11 de fevereiro de 2016 12:23
To: Leonardo Nunes
<leo.nunes@gjccorp.com.br<mailto:leo.nunes@gjccorp.com.br>>
Cc: "keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Failed to make identity provider oauth callback:
javax.net.ssl.SSLHandshakeException
Does it work if you don't specify the truststore? That will use the default truststore
provided by the JDK.
Also, does your truststore contain the required CA certs? For Facebook to work it'll
have to contain the required CA's for their certs
On 11 February 2016 at 14:09, LEONARDO NUNES
<leo.nunes@gjccorp.com.br<mailto:leo.nunes@gjccorp.com.br>> wrote:
Hi, i'm getting the error below when I try to login with Facebook.
I've followed the instructions at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
and
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
I was able to login with Facebook when trying at localhost. But at our development server
we are getting this error.
We are using EAP in domain mode.
The truststore I placed inside of keycloak-server.json
"truststore": {
"file": {
"file": "/home/soa/jboss/ssl/keycloak.jks",
"password": "keycloak123",
"hostname-verification-policy": "ANY",
"disabled": false
}
}
#######
ERRO:
2016-02-11 10:44:53,927 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth callback:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) [jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
[jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
[jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
[jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
[jsse.jar:1.8.0_45]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
[rt.jar:1.8.0_45]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
[rt.jar:1.8.0_45]
at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_45]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
[keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
at
org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [rt.jar:1.8.0_45]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
[rt.jar:1.8.0_45]
at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
[jsse.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
[jsse.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
[jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
[jsse.jar:1.8.0_45]
... 50 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
[rt.jar:1.8.0_45]
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
[rt.jar:1.8.0_45]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [rt.jar:1.8.0_45]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) [rt.jar:1.8.0_45]
... 56 more
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o
destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou
divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações.
Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente,
respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.
This message may contain confidential and/or privileged information. If you are not the
addressee or authorized to receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any information herein. If you have
received this message in error, please advise the sender immediately by reply e-mail and
delete this message. Thank you for your cooperation
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
3069
days inactive
3070
days old
10 comments
4 participants
participants (4)
-
LEONARDO NUNES -
Marek Posolda -
Marko Strukelj -
Stian Thorgersen