Keycloack app does not start with keycloack-springboot-starter 9.0.3.redhat-00002 included in SB 2.2.6.ER2.
Its tested on OCP 3.11 against SSO image registry.access.redhat.com/redhat-sso-7/sso73-openshift:latest
It fails with exception in log:
2020-04-28 13:18:57.521 INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 10 ms 2020-04-28 13:19:00.299 WARN 1 --- [nio-8080-exec-3] o.keycloak.adapters.KeycloakDeployment : Failed to load URLs from https://secure-sso-lfuka.apps.perf2.xpaas/auth/realms/master/.well-known/openid-configuration javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na] at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na] at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na] at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na] at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na] at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1144) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1055) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) ~[na:na] at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570) ~[httpclient-4.5.12.jar!/:4.5.12] at org.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:119) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) ~[httpclient-4.5.12.jar!/:4.5.12] at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:114) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.12.jar!/:4.5.12] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.12.jar!/:4.5.12] at org.keycloak.adapters.KeycloakDeployment.getOidcConfiguration(KeycloakDeployment.java:219) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.KeycloakDeployment.resolveUrls(KeycloakDeployment.java:178) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.KeycloakDeployment.getRealmInfoUrl(KeycloakDeployment.java:232) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.rotation.AdapterTokenVerifier.createVerifier(AdapterTokenVerifier.java:107) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:47) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:103) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:88) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:50) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(KeycloakAuthenticatorValve.java:57) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:631) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4] at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na] at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na] at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na] at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na] at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na] at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) ~[na:na] ... 51 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na] at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na] at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na] at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na] ... 57 common frames omitted
- Cause:
The behavior of the Keycloak client that the Spring Boot Keycloak Starter is based on changes in version 9.0.3 of the Starter.
The Keycloak client no longer relies on hardcoded token endpoint URLs.
The client instead connects to a Keycloak resource server to obtain the token endpoint URLs before requesting a token.
The client can only connect to the server using HTTPS, which is not possible when your client is using a self-signed certificate.
Note, that this is not an issue with the code of the Starter and is done by design to improve security.
- Workaround:
1. Disable the Keycloak trust manager by adding the following property to your application.resources file.
This allows the Keycloak client to obtain the endpoint addresses from the server using unsecured HTTP:
keycloak.disable-trust-manager=true