Uploaded image for project: 'ENTSBT'
  1. ENTSBT
  2. ENTSBT-365

Keycloak: javax.net.ssl.SSLHandshakeException: PKIX path building failed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.2.6.ER2
    • 2.2.6.ER2
    • keycloak
    • None
    • Documentation (Ref Guide, User Guide, etc.), Release Notes

      Keycloack app does not start with keycloack-springboot-starter 9.0.3.redhat-00002 included in SB 2.2.6.ER2.
      Its tested on OCP 3.11 against SSO image registry.access.redhat.com/redhat-sso-7/sso73-openshift:latest
      It fails with exception in log:

      2020-04-28 13:18:57.521  INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 10 ms
      2020-04-28 13:19:00.299  WARN 1 --- [nio-8080-exec-3] o.keycloak.adapters.KeycloakDeployment   : Failed to load URLs from https://secure-sso-lfuka.apps.perf2.xpaas/auth/realms/master/.well-known/openid-configuration
      
      javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na]
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na]
      	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na]
      	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na]
      	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na]
      	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
      	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na]
      	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na]
      	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na]
      	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[na:na]
      	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1144) ~[na:na]
      	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1055) ~[na:na]
      	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) ~[na:na]
      	at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:119) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:114) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.12.jar!/:4.5.12]
      	at org.keycloak.adapters.KeycloakDeployment.getOidcConfiguration(KeycloakDeployment.java:219) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.KeycloakDeployment.resolveUrls(KeycloakDeployment.java:178) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.KeycloakDeployment.getRealmInfoUrl(KeycloakDeployment.java:232) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.rotation.AdapterTokenVerifier.createVerifier(AdapterTokenVerifier.java:107) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:47) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:103) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:88) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67) ~[keycloak-adapter-core-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:50) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(KeycloakAuthenticatorValve.java:57) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:631) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) ~[spring-boot-container-bundle-9.0.3.redhat-00002.jar!/:9.0.3.redhat-00002]
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
      	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.30.redhat-4.jar!/:9.0.30.redhat-4]
      	at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na]
      	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
      	at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
      	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
      	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na]
      	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na]
      	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) ~[na:na]
      	... 51 common frames omitted
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
      	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
      	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
      	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
      	... 57 common frames omitted
      
      • Cause:

      The behavior of the Keycloak client that the Spring Boot Keycloak Starter is based on changes in version 9.0.3 of the Starter.
      The Keycloak client no longer relies on hardcoded token endpoint URLs.
      The client instead connects to a Keycloak resource server to obtain the token endpoint URLs before requesting a token.
      The client can only connect to the server using HTTPS, which is not possible when your client is using a self-signed certificate.
      Note, that this is not an issue with the code of the Starter and is done by design to improve security.

      • Workaround:

      1. Disable the Keycloak trust manager by adding the following property to your application.resources file.
      This allows the Keycloak client to obtain the endpoint addresses from the server using unsecured HTTP:

      keycloak.disable-trust-manager=true
      

              gtrikler@redhat.com Gytis Trikleris (Inactive)
              lfuka Libor Fuka
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: