[keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Marek Posolda
mposolda at redhat.com
Wed Oct 12 03:03:11 EDT 2016
Thanks for your investigation. I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-3688 . Feel free to add as watcher.
Marek
On 11/10/16 11:53, KASALA Štefan wrote:
>
> Hello,
>
> Finally we managed to fix the issue. Problem was with
> org.apache.httpcomponents module on Keycloak adapter side. We have
> there JBoss EAP 6.3.0.GA installation, which has httpclient jar
> version 4.2.1. After debug we found out problem was SNI. SNI support
> in httpclient was added from version 4.3.2
> (https://issues.apache.org/jira/browse/HTTPCLIENT-1119). We managed to
> upgrade httpcomponents to 4.3.6 and 4.3.3 version, now it works fine.
>
> One more thanks for help.
>
> Stefan**
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, September 27, 2016 10:03 AM
> *To:* KASALA Štefan <Stefan.Kasala at posam.sk>;
> keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user]
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> Found this during quick googling :
> http://stackoverflow.com/questions/9578129/exception-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated
> . So looks like different Java version can be possibly an issue...
> Other possibility can be an expired certificate.
>
> If it's possible for you, I would try to generate new keystore for
> auth-server and then export new key again to the adapter truststore.
> Also it can help to check if moving both Java 8 will help.
>
> Marek
>
> On 27/09/16 08:30, KASALA Štefan wrote:
>
> Hello,
>
> One more information to add:
>
> -keycloak-as7-adapter-2.1.0 – is running on JBoss EAP 6.3.0.GA (AS
> 7.4.0.Final-redhat-19) (Java 7)
>
> -keycloak-2.1.0.Final (server) – is running on WildFly Core
> 2.0.10.Final (Java 8)
>
> Stefan
>
> *From:*KASALA Štefan
> *Sent:* Tuesday, September 27, 2016 8:02 AM
> *To:* 'Marek Posolda' <mposolda at redhat.com>
> <mailto:mposolda at redhat.com>; keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> *Subject:* RE: [keycloak-user]
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> Hello,
>
> Thanks for tip. If you check my first email, I already tried this
> configuration for adapter
>
> Our keycloak adapter config:
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>
> <realm name="governance">
>
> ….
>
> *<disable-trust-manager>true</disable-trust-manager>*
>
> …
>
> </realm>
>
> <secure-deployment name="overlord-rtgov-ui.war">
>
> …
>
> </secure-deployment>
>
> …
>
> </subsystem>
>
> We also tried:
>
> …
>
> *<truststore>/etc/pki/ca-trust/extracted/java/cacerts</truststore>*
>
> *<truststore-password>cacerts_password</truststore-password>*
>
> …
>
> But in all cases we get the exception -
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> Stefan
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Monday, September 26, 2016 4:46 PM
> *To:* KASALA Štefan <Stefan.Kasala at posam.sk
> <mailto:Stefan.Kasala at posam.sk>>; keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user]
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> It seems you need to configure truststore on adapter side, so the
> adapter (which uses Apache HTTP Client under the hood) is able to
> communicate with Keycloak server and trust it. You can take a look
> at docs and see the options related to truststore [1] .
>
> [1]
> https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html
>
> Marek
>
> On 26/09/16 09:46, KASALA Štefan wrote:
>
> Hello,
>
> Please let me know, if you need more information to make the
> problem better to understand. Thanks a lot.
>
> Stefan
>
> *From:* keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>
> [mailto:keycloak-user-bounces at lists.jboss.org]
> *Sent:* Thursday, September 22, 2016 10:55 AM
> *To:* keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> *Subject:* [keycloak-user]
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> Hello all,
>
> We have keycloak-2.1.0.Final server and
> keycloak-as7-adapter-2.1.0 adapter version installed. We are
> trying to configure https proxy / lb for keycloak server. I
> am getting the following error from keycloak adapter after
> succesfull sign in to keycloak server. Here is the keycloak
> adapter log part:
>
> 2016-09-22 10:45:50,643 DEBUG
> [org.keycloak.adapters.PreAuthActionsHandler]
> (http-/0.0.0.0:8080-1) adminRequest
> https://lbbams.intra.dcom.sk/rtgov-ui/
>
> 2016-09-22 10:45:50,643 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) --> authenticate()
>
> 2016-09-22 10:45:50,644 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) try bearer
>
> 2016-09-22 10:45:50,644 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) try query paramter auth
>
> 2016-09-22 10:45:50,644 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) try oauth
>
> 2016-09-22 10:45:50,644 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) there was no code
>
> 2016-09-22 10:45:50,644 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) redirecting to auth server
>
> 2016-09-22 10:45:50,644 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) callback uri:
> https://lbbams.intra.dcom.sk/rtgov-ui/
>
> 2016-09-22 10:45:50,645 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) Sending redirect to login page:
> https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl
>
> ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid
>
> 2016-09-22 10:45:50,663 DEBUG
> [org.keycloak.adapters.PreAuthActionsHandler]
> (http-/0.0.0.0:8080-1) adminRequest
> https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa
>
> UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a
>
> 2016-09-22 10:45:50,663 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) --> authenticate()
>
> 2016-09-22 10:45:50,664 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) try bearer
>
> 2016-09-22 10:45:50,664 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) try query paramter auth
>
> 2016-09-22 10:45:50,664 TRACE
> [org.keycloak.adapters.RequestAuthenticator]
> (http-/0.0.0.0:8080-1) try oauth
>
> 2016-09-22 10:45:50,664 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) there was a code, resolving
>
> 2016-09-22 10:45:50,664 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) checking state cookie for after code
>
> 2016-09-22 10:45:50,664 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) ** reseting application state cookie
>
> 2016-09-22 10:45:50,668 ERROR
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> (http-/0.0.0.0:8080-1) failed to turn code into token:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> at
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
> [jsse.jar:1.7.0_67]
>
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
> [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
>
> at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
> [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
>
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
> [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
>
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
> [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
>
> at
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
> [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
>
> at
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
> [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
>
> at
> org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43)
> [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final]
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
> [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
>
> at
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]
>
> Our keycloak adapter config:
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>
> <realm name="governance">
>
> <realm-public-key>public key string…</realm-public-key>
>
> <auth-server-url>${keycloak.auth.url:/auth}</auth-server-url>
>
> <principal-attribute>preferred_username</principal-attribute>
>
> <disable-trust-manager>true</disable-trust-manager>
>
> <allow-any-hostname>true</allow-any-hostname>
>
> </realm>
>
> <secure-deployment name="overlord-rtgov-ui.war">
>
> <realm>governance</realm>
>
> <resource>rtgov-ui</resource>
>
> <credential name="secret">password</credential>
>
> </secure-deployment>
>
> <secure-deployment name="overlord-rtgov.war">
>
> <realm>governance</realm>
>
> <resource>overlord-rtgov</resource>
>
> <enable-basic-auth>true</enable-basic-auth>
>
> <credential name="secret">password</credential>
>
> </secure-deployment>
>
> </subsystem>
>
> Could you please help us, how can we fix this? Thanks a log.
>
> Stefan Kasala.
>
> ------------------------------------------------------------------------
>
>
> Táto správa je určená iba pre uvedeného príjemcu a môže
> obsahovať dôverné alebo interné informácie. Ak ste ju omylom
> obdržali, upovedomte o tom prosím odosielateľa a vymažte ju.
> Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
>
> This message is for the designated recipient only and may
> contain confidential or internal information. If you have
> received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is
> prohibited.
>
> ------------------------------------------------------------------------
>
>
> Táto správa je určená iba pre uvedeného príjemcu a môže
> obsahovať dôverné alebo interné informácie. Ak ste ju omylom
> obdržali, upovedomte o tom prosím odosielateľa a vymažte ju.
> Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
>
> This message is for the designated recipient only and may
> contain confidential or internal information. If you have
> received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is
> prohibited.
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------------------------------------------------
>
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
> dôverné alebo interné informácie. Ak ste ju omylom obdržali,
> upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
> spôsob použitia tohto e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in
> error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited.
>
>
> ------------------------------------------------------------------------
>
> Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať
> dôverné alebo interné informácie. Ak ste ju omylom obdržali,
> upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný
> spôsob použitia tohto e-mailu je zakázaný.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in
> error, please notify the sender immediately and delete the original.
> Any other use of the e-mail by you is prohibited.
More information about the keycloak-user
mailing list