[keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException
LEONARDO NUNES
leo.nunes at gjccorp.com.br
Fri Feb 12 07:10:08 EST 2016
It worked for me, now I can login with Facebook.
I had to export 3 root CA's from the default java cacerts keystore, them
import them into my keystore.
This is not the best way to fix the problem, but until we don't have a
flag on keycloak to indicate we want to use both our keystore and java
keystore this will work.
Certificates to export:
digicertglobalrootca
digicertassuredidrootca
digicerthighassuranceevrootca
How to export:
keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicertglobalrootca.crt
keytool -exportcert -alias digicertassuredidrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicertassuredidrootca.crt
keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt
How to import into another keystore:
keytool -import -trustcacerts -alias digicertglobalrootca -keystore
jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicertglobalrootca.crt
keytool -import -trustcacerts -alias digicertassuredidrootca -keystore
jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicertassuredidrootca.crt
keytool -import -trustcacerts -alias digicerthighassuranceevrootca
-keystore jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt
On 12/02/16 08:44, "Marko Strukelj" <mstrukel at redhat.com> wrote:
>We could add such a flag, don't know how hard it would be to implement.
>
>In principle I agree about CA cert updates. But they are many, and for
>your customized truststore you may add only a few, and for big-name
>services. If CAs are revoked, then your integration will stop working
>as those services will start using new certs that you don't have in
>your truststore.
>
>It's quite unlikely OTOH to notice one of the 100 trusted-by-default
>CA that you never connect to, that can one day be used to forge a
>certificate for one of the services that you do use - that one you
>won't notice until you update Java.
>________________________________
>Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
>você não for o destinatário ou a pessoa autorizada a receber esta
>mensagem, não poderá usar, copiar ou divulgar as informações nela
>contidas ou tomar qualquer ação baseada nessas informações. Se você
>recebeu esta mensagem por engano, por favor avise imediatamente o
>remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua
>cooperação.
>
>This message may contain confidential and/or privileged information. If
>you are not the addressee or authorized to receive this for the
>addressee, you must not use, copy, disclose or take any action based on
>this message or any information herein. If you have received this message
>in error, please advise the sender immediately by reply e-mail and delete
>this message. Thank you for your cooperation
More information about the keycloak-user
mailing list