[keycloak-user] transient SSL certificate errors to AD/LDAPS
Mark Nuttall-Smith
mnuttallsmith at flowtraders.com
Mon Jul 15 03:34:23 EDT 2019
Hi,
I've configured Keycloak to talk to an AD server using LDAPS. Everything works perfectly most of the time, but there are rare, transient errors caused by the following exception:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 18 more
Normally retrying the same query allows a user to log in again successfully (browser caches complicate things though).
We add the certificates to the keystore using the following approach in our kubernetes helm chart:
--------------------
extraArgs: "-Djavax.net.ssl.trustStore=/opt/cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dkeycloak.import=/opt/import/realm.json"
# This init container adds the certificates for the AD domain controllers to a keystore using a mounted ad-cacerts volume.
# The same volume with the keystore is then mounted and used by the main keycloak container
extraInitContainers: |
- name: cacerts-init
image: openjdk:8-jre
command:
- bash
args:
- -c
- |
cat $JAVA_HOME/lib/security/cacerts > /opt/cacerts/cacerts;
for host in `getent ahosts mycompany.local | awk '{print $1}' | uniq`; do
echo | openssl s_client -connect ${host}:3269 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${host}.cer ;
keytool -keystore /opt/cacerts/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ${host} -file ${host}.cer
done
volumeMounts:
- name: ad-cacerts
mountPath: /opt/cacerts
extraVolumes: |
- name: ad-cacerts
emptyDir: {}
extraVolumeMounts: |
- name: ad-cacerts
mountPath: /opt/cacerts
-----------------------
Does anyone have an idea what could be the cause of these transient errors?
Thanks, Mark
Mark Nuttall-Smith
Software Engineer
[http://www.flowtraders.com/img/FlowTraders.png]
Flow Traders
T: +31 20 799 8753
F: +31 20 799 6780
Jacob Bontiusplaats 9
1018 LL Amsterdam
Netherlands
www.flowtraders.com<http://www.flowtraders.com>
Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders's prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
More information about the keycloak-user
mailing list