[keycloak-user] transient SSL certificate errors to AD/LDAPS

Mark Nuttall-Smith mnuttallsmith at flowtraders.com
Mon Jul 15 05:11:00 EDT 2019 

Hi,
Thanks for the suggestion, but only server side certificates are required for our AD set up.



Mark Nuttall-Smith
Software Engineer

Flow Traders

T: +31 20 799 8753
F: +31 20 799 6780

Jacob Bontiusplaats 9
1018 LL Amsterdam
Netherlands
www.flowtraders.com
-----Original Message-----
From: Nick Su [mailto:nicksu at m800.com]
Sent: Monday, July 15, 2019 9:40 AM
To: Mark Nuttall-Smith
Subject: Re: [keycloak-user] transient SSL certificate errors to AD/LDAPS

Hi

Does your LDAPS server require client verification as well?  I came across a similar issue months before, and fixed by providing a trust store and keystore respectively to java

> On 15 Jul 2019, at 3:34 PM, Mark Nuttall-Smith <mnuttallsmith at flowtraders.com> wrote:
>
> Hi,
>
> I've configured Keycloak to talk to an AD server using LDAPS. Everything works perfectly most of the time, but there are rare, transient errors caused by the following exception:
>
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
>        at sun.security.validator.Validator.validate(Validator.java:262)
>        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
>        ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>        ... 18 more
>
> Normally retrying the same query allows a user to log in again successfully (browser caches complicate things though).
>
> We add the certificates to the keystore using the following approach in our kubernetes helm chart:
>
> --------------------
>    extraArgs: "-Djavax.net.ssl.trustStore=/opt/cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dkeycloak.import=/opt/import/realm.json"
>
>    # This init container adds the certificates for the AD domain controllers to a keystore using a mounted ad-cacerts volume.
>    # The same volume with the keystore is then mounted and used by the main keycloak container
>    extraInitContainers: |
>      - name: cacerts-init
>        image: openjdk:8-jre
>        command:
>          - bash
>        args:
>          - -c
>          - |
>            cat $JAVA_HOME/lib/security/cacerts > /opt/cacerts/cacerts;
>            for host in `getent ahosts mycompany.local | awk '{print $1}' | uniq`; do
>              echo | openssl s_client -connect ${host}:3269 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${host}.cer ;
>              keytool -keystore /opt/cacerts/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ${host} -file ${host}.cer
>            done
>        volumeMounts:
>          - name: ad-cacerts
>            mountPath: /opt/cacerts
>
>    extraVolumes: |
>      - name: ad-cacerts
>        emptyDir: {}
>
>    extraVolumeMounts: |
>      - name: ad-cacerts
>        mountPath: /opt/cacerts
> -----------------------
>
> Does anyone have an idea what could be the cause of these transient errors?
>
> Thanks, Mark
>
> Mark Nuttall-Smith
> Software Engineer
>
> [http://www.flowtraders.com/img/FlowTraders.png]
>
> Flow Traders
>
> T: +31 20 799 8753
> F: +31 20 799 6780
>
> Jacob Bontiusplaats 9
> 1018 LL Amsterdam
> Netherlands
> www.flowtraders.com<http://www.flowtraders.com>
>
> Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders's prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders’s prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

More information about the keycloak-user mailing list