[keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException
Marko Strukelj
mstrukel at redhat.com
Fri Feb 12 07:16:13 EST 2016
Security is always at odds with convenience :)
For Facebook you can prepare your truststore like this:
curl http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
> ~/digicertsha2high.crt
keytool -importcert -keystore truststore.jks -storetype JKS -file
~/digicertsha2high.crt -alias digicertSHA2HighCA
How I came to this?
By inspecting the certificate returned by Facebook you find it's issuer:
openssl s_client -connect graph.facebook.com:443 -showcerts </dev/null
2>/dev/null|openssl x509 -outform PEM > ~/graph.facebook.com.pem
keytool -importcert -keystore tempstore.jks -storetype JKS -file
~/graph.facebook.com.pem -alias facebook.com
(type some password, and inspect the certificate - no need to confirm it)
In certificate details there is URL to issuer CA certificate I used above.
It is issuer CA that your want in your truststore, rather than
graph.facebook.com certificate. That certificate is also part of
cacerts file where all the certificate trusted by default are located.
Which is the next point - it's easy to manually start with default
truststore, rather than empty one. Just copy the default truststore
and change its password:
cp $JAVA_HOME/jre/lib/security/cacerts truststore.jks
keytool -keystore truststore.jks -storepasswd
When asked for password type: 'changeit' - that's java truststore's password.
When asked for new password type whatever you want.
That's all there is to it.
On Fri, Feb 12, 2016 at 11:49 AM, LEONARDO NUNES
<leo.nunes at gjccorp.com.br> wrote:
> 1+ to include cacerts from Java by default.
>
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Reply-To: "stian at redhat.com" <stian at redhat.com>
> Date: sexta-feira, 12 de fevereiro de 2016 07:43
> To: Marko Strukelj <mstrukel at redhat.com>
> Cc: Marek Posolda <mposolda at redhat.com>, Leonardo Nunes
> <leo.nunes at gjccorp.com.br>, "keycloak-user at lists.jboss.org"
> <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Failed to make identity provider oauth
> callback: javax.net.ssl.SSLHandshakeException
>
>
> On 12 February 2016 at 10:04, Marko Strukelj <mstrukel at redhat.com> wrote:
>>
>> When using 'truststore' provider it is up to you to make sure to
>> include all the certificates you trust. Configuration via
>> -Djavax.net.ssl.trustStore works the same - no automatic inclusion of
>> cacerts. But it sounds like a good usability feature to add a flag
>> that would automatically include cacerts as well. The problem is - it
>> happens occasionally that some CAs turn out not to be trustworthy, and
>> blindly importing all cacerts exposes you to that risk.
>
>
> How about having a flag that is enabled by default that includes cacerts
> from Java? I'd actually think that update from CA certs are more likely
> going to happen by updating Java rather than manually maintaining a
> truststore.
>
>>
>> One detail to emphasize, with third party not-self-signed certificates
>> it's important to include the CA certificate used to create the
>> specific server certificate, rather than the server certificate
>> itself. Facebook servers use different short-lived server certificates
>> - and with two consecutive requests you may be presented with two
>> different server certificates - but they are all issued by the same
>> long-lived trusted CA.
>>
>>
>>
>> On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>> > Facebook certificate should be signed by trusted authority, so it works
>> > with
>> > default JDK truststore. At least for me it always works.
>> >
>> > Shouldn't truststore SPI use both provided file + default JDK truststore
>> > by
>> > default? We may have flag to disable default JDK truststore, but not
>> > sure if
>> > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache
>> > HTTP
>> > client provided by HttpClientProvider SPI?
>> >
>> > Marek
>> >
>> >
>> > On 11/02/16 15:23, Stian Thorgersen wrote:
>> >
>> > Does it work if you don't specify the truststore? That will use the
>> > default
>> > truststore provided by the JDK.
>> >
>> > Also, does your truststore contain the required CA certs? For Facebook
>> > to
>> > work it'll have to contain the required CA's for their certs
>> >
>> > On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes at gjccorp.com.br>
>> > wrote:
>> >>
>> >> Hi, i'm getting the error below when I try to login with Facebook.
>> >> I've followed the instructions at
>> >>
>> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore
>> >> and
>> >>
>> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337
>> >>
>> >> I was able to login with Facebook when trying at localhost. But at our
>> >> development server we are getting this error.
>> >>
>> >> We are using EAP in domain mode.
>> >>
>> >> The truststore I placed inside of keycloak-server.json
>> >> "truststore": {
>> >> "file": {
>> >> "file": "/home/soa/jboss/ssl/keycloak.jks",
>> >> "password": "keycloak123",
>> >> "hostname-verification-policy": "ANY",
>> >> "disabled": false
>> >> }
>> >> }
>> >>
>> >>
>> >> #######
>> >>
>> >> ERRO:
>> >>
>> >>
>> >> 2016-02-11 10:44:53,927 ERROR
>> >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>> >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
>> >> callback: javax.net.ssl.SSLHandshakeException:
>> >> sun.security.validator.ValidatorException: PKIX path building failed:
>> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> >> find
>> >> valid certification path to requested target
>> >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> >> [jsse.jar:1.8.0_45]
>> >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
>> >> [jsse.jar:1.8.0_45]
>> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> >> [jsse.jar:1.8.0_45]
>> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
>> >> [jsse.jar:1.8.0_45]
>> >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
>> >> [jsse.jar:1.8.0_45]
>> >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
>> >> [jsse.jar:1.8.0_45]
>> >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
>> >> at
>> >>
>> >> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> >> [rt.jar:1.8.0_45]
>> >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at
>> >>
>> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>> >>
>> >> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
>> >> at
>> >>
>> >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
>> >> at
>> >>
>> >> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
>> >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >>
>> >> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at
>> >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
>> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>> >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>> >> Caused by: sun.security.validator.ValidatorException: PKIX path
>> >> building
>> >> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> >> unable
>> >> to find valid certification path to requested target
>> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> >> [rt.jar:1.8.0_45]
>> >> at sun.security.validator.Validator.validate(Validator.java:260)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>> >> [jsse.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
>> >> [jsse.jar:1.8.0_45]
>> >> ... 50 more
>> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> >> unable to find valid certification path to requested target
>> >> at
>> >>
>> >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
>> >> [rt.jar:1.8.0_45]
>> >> at
>> >>
>> >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
>> >> [rt.jar:1.8.0_45]
>> >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> >> [rt.jar:1.8.0_45]
>> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>> >> [rt.jar:1.8.0_45]
>> >> ... 56 more
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Leonardo Nunes
>> >> ________________________________
>> >> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
>> >> você não for o destinatário ou a pessoa autorizada a receber esta
>> >> mensagem,
>> >> não poderá usar, copiar ou divulgar as informações nela contidas ou
>> >> tomar
>> >> qualquer ação baseada nessas informações. Se você recebeu esta mensagem
>> >> por
>> >> engano, por favor avise imediatamente o remetente, respondendo o e-mail
>> >> e em
>> >> seguida apague-o. Agradecemos sua cooperação.
>> >>
>> >> This message may contain confidential and/or privileged information. If
>> >> you are not the addressee or authorized to receive this for the
>> >> addressee,
>> >> you must not use, copy, disclose or take any action based on this
>> >> message or
>> >> any information herein. If you have received this message in error,
>> >> please
>> >> advise the sender immediately by reply e-mail and delete this message.
>> >> Thank
>> >> you for your cooperation
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list