[keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"
Niels Bertram
nielsbne at gmail.com
Tue Jun 7 05:01:15 EDT 2016
ooops, lets try that again .. did you add -Dhttp.proxyHost=
global.proxy.alcatel-lucent.com and -Dhttp.proxyPort=8000 to your server
JAVA_OPTS?
On Tue, Jun 7, 2016 at 6:56 PM, Niels Bertram <nielsbne at gmail.com> wrote:
> That looks more like a proxy issue than SSL. Did you try adding
> -Dproxy.host
>
> On 7 Jun 2016, at 18:42, LI Ming <Ming.Li at alcatel-lucent.com> wrote:
>
> No, github is not working.
>
> BTW, my server needs set http_proxy/https_proxy to access github.com.
>
>
>
> wget --secure-protocol=TLSv1 github.com
>
>
>
> --2016-06-07 03:39:02-- http://github.com/
>
> Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)...
> 135.245.48.33
>
> Connecting to global.proxy.alcatel-lucent.com (
> global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
>
> Proxy request sent, awaiting response... 301 Moved Permanently
>
> Location: https://github.com/ [following]
>
> --2016-06-07 03:39:03-- https://github.com/
>
> Connecting to global.proxy.alcatel-lucent.com (
> global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
>
> Proxy request sent, awaiting response... 200 OK
>
> Length: unspecified [text/html]
>
> Saving to: 'index.html'
>
>
>
> [
> <=>
> ] 25,508 --.-K/s in 0.03s
>
>
>
> 2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508]
>
>
>
> Github.com <http://github.com> can be accessible via http proxy. I do not
> know why keycloak will complain the certificate.
>
>
>
> *From:* Marek Posolda [mailto:mposolda at redhat.com <mposolda at redhat.com>]
> *Sent:* Tuesday, June 07, 2016 4:07 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it
> failed with failure "Connection timed out"
>
>
>
> Hmm... is github working for you if you omit the "truststore"
> configuration in keycloak-server.json and use the default java cacerts file
> without any changes?
>
> Marek
>
> On 07/06/16 09:38, LI Ming wrote:
>
> Marek,
>
>
>
> I already set truststore file to the default java certificates file path
> in keycloak configuration file
> $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
>
> "truststore": {
>
> "file": {
>
> "file": "/usr/java/jre/lib/security/cacerts",
>
> "password": "changeit",
>
> "hostname-verification-policy": "ANY",
>
> "disabled": false
>
> }
>
> }
>
> And I put my customer certificate file in it also.
>
>
>
> Ming Li
>
> *From:* Marek Posolda [mailto:mposolda at redhat.com <mposolda at redhat.com>]
> *Sent:* Tuesday, June 07, 2016 3:17 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it
> failed with failure "Connection timed out"
>
>
>
> It seems that's because Keycloak is not able to send backchannel request
> to github due to github certificate not trusted.
>
> Are you using custom truststore set with truststore SPI or with
> "javax.net.ssl.truststore" system property? I think that by default github
> SSL certificate is verified by well-known CA, so it shouldn't be the issue
> to connect to that if you use default Java file with certificates
> (cacerts). However if you have custom trustore set, then default java
> cacerts file is possibly not used, so well-known certificates like the one
> from github are not trusted. We should likely have a solution, which will
> allow to set custom truststore in addition to default java cacerts file.
> But until we have it, you probably need to manually create truststore file,
> where you import both the "well-known" certificates together with your
> custom certificates.
>
> Marek
>
> On 07/06/16 08:02, LI Ming wrote:
>
> Hi,
>
>
>
> When I setup social identity provider (GitHub) to authenticate the user,
> it always failed with the below error:
>
>
>
> 2016-06-07 00:49:05,349 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9)
> Failed to make identity provider oauth callback: java.net.ConnectException:
> Connection timed out
>
> at java.net.PlainSocketImpl.socketConnect(Native Method)
>
> at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
> at java.net.Socket.connect(Socket.java:589)
>
> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
> at
> sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
> at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
> at
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
> at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
> at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
> at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> …
>
> 2016-06-07 00:49:05,355 WARN [org.keycloak.events] (default task-9)
> type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null,
> ipAddress=135.252.159.35, error=identity_provider_login_failure
>
>
>
> Can you help to identity the failure reason?
>
>
>
> Thanks,
>
>
>
> Ming Li
>
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/3d3e5513/attachment.html
More information about the keycloak-user
mailing list