[keycloak-user] Trouble with initial SSL handshake from client

Chris Benninger cbenninger at phemi.com
Wed May 10 12:25:15 EDT 2017


Ok I solved it. Turned out it was my fault, the cert I generated had a typo
in the CN field. Apologies for cluttering the list.

On Tue, May 9, 2017 at 2:27 PM, Chris Benninger <cbenninger at phemi.com>
wrote:

> Hi,
>
> I just moved my dev setup to from HTTP to HTTPS. Right now I have a
> self-signed cert.
>
> What I do is, set up a cert the usual way and configure keycloak.
> Everything is fine from the browser once I accept the cert.
>
> Then my backend service keycloak.conf has 'https' now in it. All good. In
> order to make my java service using keycloak client to trust it I have to
> add the cert to the trust store.
>
> I export the public cert
>
>> keytool -export -keystore keycloak.jks -alias keycloak -file keycloak.cer
>
>
> Then on the backend client, I import it to the default keystore
>
>> keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
>> -alias keycloak -file keycloak.cer
>
>
> When I try and perform the first call on the backend service it is still
> rejecting the cert for some reason? I can't get it to trust the thing.
>
> 2017-05-09 21:14:40,053 ERROR o.k.a.r.JWKPublicKeyLocator Error when
>> sending request to retrieve realm keys org.keycloak.adapters.HttpClientAdapterException:
>> IO error
>> ...
>> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
>> PKIX path validation failed: java.security.cert.CertPathValidatorException:
>> signature check failed
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> ~[?:1.8.0_111]
>> ...
>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> validation failed: java.security.cert.CertPathValidatorException:
>> signature check failed
>
>
> If anyone has any insight it would be greatly appreciated
>


More information about the keycloak-user mailing list