[keycloak-user] Add CA certificates for LDAPS ?

Marek Posolda mposolda at redhat.com
Mon Oct 1 14:14:22 EDT 2018 

You can configure the Truststore SPI, which is mentioned in our docs 
here: 
https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore

Some additional notes around LDAP are here: 
https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl

Marek


On 01/10/18 13:27, Mathieu Poussin wrote:
> Hello.
>
> What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked :
>
> - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store  but looks like they are completely ignored by the app server.
> - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server.
>
> This is the error I am getting :
>
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>          at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
>          at sun.security.validator.Validator.validate(Validator.java:262)
>          at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>          at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>          at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>          at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>          ... 99 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>          at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>          at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>          at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>          ... 105 more
>
>
> Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that?
> Connecting over LDAP is not an option a this prevent some features to work like password reset.
>
> Thanks.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list