[keycloak-user] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Guus der Kinderen guus.der.kinderen at gmail.com
Fri Apr 8 01:28:54 EDT 2016


Hello Juan Diego,

I think you are right. Java probably does not recognize Komodo as a valid
certificate authority.

Java keeps certificates of CAs in a keystore (a 'trust store' - a store of
certificates from authorities that are to be trusted). The Komodo
certificate that is part of your chain is probably not in them).

I'm quite new to Keycloak, and I'm not sure if Keycloak uses the default
keystores that ship with any version of Java, or uses it's own set. Perhaps
the Keycloak documentation gives you a hint to that effect.

I hope this helps. Regards,

  Guus

On 8 April 2016 at 01:25, Juan Diego <juandiego83 at gmail.com> wrote:

> I installed a keycloak server on amazon and bought a cert from Komodo.
> And I was testing my app from my localhost, so my webapp in jsf is supposed
> to log against that server and it seems to work. I modified my web.xml so
> the loign-config uses keycloak.
>
> I thought my localserver ssl was the problem but I disabled
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
> But I got the same error.
>
> 17:49:20,443 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
> (default task-49) failed to turn code into token:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>     at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
>     at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
>     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>     at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>     at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>     at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>     at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>     at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
>     at
> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
>     at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
>     at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
>     at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
>     at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
>     at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
>     at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
>     at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
>     at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>     at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>     at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>     at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>     at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>     at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>     at
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>     at
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>     at
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>     at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>     at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>     at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>     at
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>     at
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>     at
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>     at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>     at
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>     at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>     at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>     at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>     at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>     at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>     at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>     at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>     at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>     at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>     at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>     at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>     at java.lang.Thread.run(Thread.java:745)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
>     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>     at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>     at sun.security.validator.Validator.validate(Validator.java:260)
>     at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>     at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>     at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>     at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
>     ... 56 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>     at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>     at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>     ... 62 more
>
>
> For what I understand it is because my java doesnt perceives my Cert as a
> proper CA signed cert.
>
> Thanks,
>
> Juan diego
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/0310095c/attachment-0001.html 


More information about the keycloak-user mailing list