Uploaded image for project: 'ENTSBT'
  1. ENTSBT
  2. ENTSBT-365

Keycloak: javax.net.ssl.SSLHandshakeException: PKIX path building failed

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 2.2.6.ER2
    • 2.2.6.ER2
    • keycloak
    • None
    • Documentation (Ref Guide, User Guide, etc.), Release Notes

    Description

      Keycloack app does not start with keycloack-springboot-starter 9.0.3.redhat-00002 included in SB 2.2.6.ER2.
      Its tested on OCP 3.11 against SSO image registry.access.redhat.com/redhat-sso-7/sso73-openshift:latest
      It fails with exception in log:

      2020-04-28 13:18:57.521  INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 10 ms
2020-04-28 13:19:00.299  WARN 1 --- [nio-8080-exec-3] o.keycloak.adapters.KeycloakDeployment   : Failed to load URLs from https://secure-sso-lfuka.apps.perf2.xpaas/auth/realms/master/.well-known/openid-configuration

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na]
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na]
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na]
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1144) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1055) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) ~[na:na]
	at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:119) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:114) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.12.jar!/:4.5.12]
	at org.keycloak.adapters.KeycloakDeployment.getOidcConfiguration(KeycloakDeployment.java:219) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.KeycloakDeployment.resolveUrls(KeycloakDeployment.java:178) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.KeycloakDeployment.getRealmInfoUrl(KeycloakDeployment.java:232) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.rotation.AdapterTokenVerifier.createVerifier(AdapterTokenVerifier.java:107) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:47) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:103) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:88) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:50) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(KeycloakAuthenticatorValve.java:57) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:631) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
	at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na]
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
	at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) ~[na:na]
	... 51 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
	... 57 common frames omitted
      • Cause:

      The behavior of the Keycloak client that the Spring Boot Keycloak Starter is based on changes in version 9.0.3 of the Starter.
      The Keycloak client no longer relies on hardcoded token endpoint URLs.
      The client instead connects to a Keycloak resource server to obtain the token endpoint URLs before requesting a token.
      The client can only connect to the server using HTTPS, which is not possible when your client is using a self-signed certificate.
      Note, that this is not an issue with the code of the Starter and is done by design to improve security.

      • Workaround:

      1. Disable the Keycloak trust manager by adding the following property to your application.resources file.
      This allows the Keycloak client to obtain the endpoint addresses from the server using unsecured HTTP:

      keycloak.disable-trust-manager=true

      Attachments

        Activity

          People

            gtrikler@redhat.com Gytis Trikleris (Inactive)
            lfuka Libor Fuka
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: