[keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException

Stian Thorgersen sthorger at redhat.com
Fri Feb 12 02:56:01 EST 2016


On 12 February 2016 at 08:07, Marek Posolda <mposolda at redhat.com> wrote:

> Facebook certificate should be signed by trusted authority, so it works
> with default JDK truststore. At least for me it always works.
>
> Shouldn't truststore SPI use both provided file + default JDK truststore
> by default? We may have flag to disable default JDK truststore, but not
> sure if it's ever needed. Also shouldn't we rewrite SimpleHTTP to use
> Apache HTTP client provided by HttpClientProvider SPI?
>

+1 To both

SimpleHTTP was only introduced when we where talking about having the
social providers a generic library, but now they aren't there's no point to
SimpleHTTP anymore.


>
>
> Marek
>
>
> On 11/02/16 15:23, Stian Thorgersen wrote:
>
> Does it work if you don't specify the truststore? That will use the
> default truststore provided by the JDK.
>
> Also, does your truststore contain the required CA certs? For Facebook to
> work it'll have to contain the required CA's for their certs
>
> On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes at gjccorp.com.br>
> wrote:
>
>> Hi, i'm getting the error below when I try to login with Facebook.
>> I've followed the instructions at
>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore
>>  and
>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337
>>
>> I was able to login with Facebook when trying at localhost. But at our
>> development server we are getting this error.
>>
>> We are using EAP in domain mode.
>>
>> The truststore I placed inside of keycloak-server.json
>> "truststore": {
>>         "file": {
>>             "file": "/home/soa/jboss/ssl/keycloak.jks",
>>             "password": "keycloak123",
>>             "hostname-verification-policy": "ANY",
>>             "disabled": false
>>         }
>>     }
>>
>>
>> #######
>>
>> ERRO:
>>
>>
>> 2016-02-11 10:44:53,927 ERROR
>> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
>> callback: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
>> [jsse.jar:1.8.0_45]
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
>> [rt.jar:1.8.0_45]
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>> [rt.jar:1.8.0_45]
>> at
>> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
>> at
>> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> [rt.jar:1.8.0_45]
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> [rt.jar:1.8.0_45]
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> [rt.jar:1.8.0_45]
>> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
>> at
>> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
>> at
>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
>> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
>> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> [rt.jar:1.8.0_45]
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> [rt.jar:1.8.0_45]
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> [rt.jar:1.8.0_45]
>> at
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>> [jsse.jar:1.8.0_45]
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
>> [jsse.jar:1.8.0_45]
>> ... 50 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
>> [rt.jar:1.8.0_45]
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
>> [rt.jar:1.8.0_45]
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> [rt.jar:1.8.0_45]
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>> [rt.jar:1.8.0_45]
>> ... 56 more
>>
>>
>>
>>
>>
>> --
>> Leonardo Nunes
>> ------------------------------
>>
>>
>> *Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
>> você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
>> não poderá usar, copiar ou divulgar as informações nela contidas ou tomar
>> qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
>> engano, por favor avise imediatamente o remetente, respondendo o e-mail e
>> em seguida apague-o. Agradecemos sua cooperação. This message may contain
>> confidential and/or privileged information. If you are not the addressee or
>> authorized to receive this for the addressee, you must not use, copy,
>> disclose or take any action based on this message or any information
>> herein. If you have received this message in error, please advise the
>> sender immediately by reply e-mail and delete this message. Thank you for
>> your cooperation*
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/b9676438/attachment-0001.html 


More information about the keycloak-user mailing list