I'm trying to add LDAP user federation to keycloak running on the official docker image. I've used X509_CA_BUNDLE to add the CA certificate of our FreeIPA and it seems to be imported properly in the Java KeyStore file. But when editing the LDAP settings for the user federation provider I get success for 'Test Connection' and failure for 'Test Authentication'. The logs show:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've found https://lists.jboss.org/pipermail/keycloak-user/2018-October/015706.html, which describe adding a truststore SPI. But should this not be handled by the code handling X509_CA_BUNDLE, since the docker image is recreated when restarting keycloak?