[keycloak-user] How to configure an enterprise TLS secured mail server
Aritz Maeztu
amaeztu at tesicnor.com
Mon Nov 14 02:32:17 EST 2016
Hello everybody,
I'm trying to configure keycloak to send its e-mails using our company's
e-mail server. I have no problem doing it using a simple configuration
(just username and password, no encryption). However, our mail server
accepts TLS and we do use a custom certificate for it, but I don't know
how to make the keycloak server trust it (I know I have to add it to the
JVM trusted certificates, but how to do it in wildfly?). Every tuto I
read is for configuring wildfly itself to use the certificate and enable
SSL, but in this case wildfly would be the client. That's the error I
get while trying to send the e-mail (SSL handshake):
18:02:59,903 ERROR [org.keycloak.services] (default task-4)
KC-SERVICES0088: Fai
led to send execute actions email: org.keycloak.email.EmailException:
Failed to
template email
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:179)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:150)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExe
cuteActions(FreeMarkerEmailTemplateProvider.java:133)
at
org.keycloak.services.resources.admin.UsersResource.executeActionsEma
il(UsersResource.java:855)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
MethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
voker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHand
ler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(K
eycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60
)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandle
r.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.hand
leRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHan
dler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandle
r.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandle
r.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRe
quest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstrain
tHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleR
equest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandl
er.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleReque
st(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandl
er.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.han
dleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest
(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Se
rvletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servlet
InitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Se
rvletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:7
93)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.email.EmailException:
javax.mail.MessagingException: Cou
ld not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorExc
eption: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
at
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:127)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:185)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:177)
... 54 more
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorExc
eption: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
at
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2046)
at
com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:71
1)
at javax.mail.Service.connect(Service.java:366)
at javax.mail.Service.connect(Service.java:246)
at javax.mail.Service.connect(Service.java:267)
at
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:120)
... 56 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.Validator
Exception: PKIX path building failed:
sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested
target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1509)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403
)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387
)
at
com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java
:598)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:525)
at
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2041)
... 61 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find vali
d certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1491)
... 71 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to
find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
ilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:126)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 77 more
Any idea about this? Thanks!
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
More information about the keycloak-user
mailing list