I have spring boot with keycloak integration on kuberntes cluster. On production I certificate for SSL that is trusted for domain like "example.com". I configured my spring boot web application and keycloak to be under the same domain routing with ingress and providing SSL to reuse my certificate for the both servers.
https://example.com -> Spring boot
https://example.com/auth -> Keycloak
This works fine but when I try to obtain a token from my web application through the keycloak spring adapter, I receive the following error in the logs:
message: "failed to turn code into token"
stack_trace: "s.s.p.c.SunCertPathBuilderException: unable to find valid certification path to requested target
at s.s.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at s.s.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 95 common frames omitted
Wrapped by: s.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 89 common frames omitted
Wrapped by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at o.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570)
at o.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:114)
at o.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
at o.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
at o.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415)
at o.a.h.i.c.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at o.a.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at o.a.h.i.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
at o.a.h.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
at o.a.h.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
at o.a.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at o.a.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at o.a.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at o.a.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)
at o.k.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335)
at o.k.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280)
at o.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)
at o.k.a.s.f.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:150)
at o.s.s.w.a.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at o.s.s.w.a.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at o.k.a.s.f.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:86)
at o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at o.s.s.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74)
at o.s.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
at o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at o.s.s.w.c.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at o.s.s.w.c.r.a.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at o.s.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
at o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at o.s.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at o.s.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at o.s.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
at o.s.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
at o.a.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at o.a.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at o.s.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at o.s.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
at o.a.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at o.a.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at o.s.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92)
at o.s.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
at o.a.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at o.a.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at o.s.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
... 34 frames truncated
"
Requests
This error is because the trustore used to validate the TLS connection in your jvm doesn't trust the certificate you use for the keycloak server. Thus the request to turn the code into a token is never completed.
You need to add the CA certificate in your jvm trustore
As you are in a kubernetes environment, a easier way may be to use the facilities given by keycloak adapters (https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config):
trustore: to use a specific trustore to connect to keycloak
disable-trust-manager: to disable certificate verification (only for test)
Related
Connection string
url: jdbc:mariadb://xyz:3306/test?useSSL=true&trustStore=classpath:/path/truststore.jks&trustStorePassword=mypwd&keystoreStore=classpath:/path/keystore.jks&keystoreStorePassword=mypwd
when i connect mairadb with tls/ssl connection getting this error
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
how to connect ssl connection using mariadb in spring boot
I am trying to consume one of the rest service in wso2
"https://localhost:9443/api/identity/recovery/v0.9/recover-password?type=email¬ify=false" using rest template. But I am getting below exception
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://localhost:9443/api/identity/recovery/v0.9/recover-password": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:579)
at com.diligent.cdd.master.services.impl.UserServiceImpl.getWSO2ResetPWDKey(UserServiceImpl.java:49)
at com.diligent.cdd.master.services.impl.UserServiceImpl.resetUserPwd(UserServiceImpl.java:43)
at com.diligent.cdd.master.controllers.UserController.resetUserPassword(UserController.java:26)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:189)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
I have tried enabling ssl properties in my application by below,
server.ssl.key-store-type=JKS
server.ssl.key-store=classpath:wso2carbon.jks
server.ssl.key-store-password=wso2carbon
server.ssl.key-alias=wso2carbon
This happened because WSO2 Identity server expects the certificate of the application during SSL handshake and the certificate of the application is missing in the truststore. So what you have to do is,
Import the application's SSL public certificate into Identity Server's client-truststore.jks. It is located in /repository/resources/security/ folder.
You can use the following command to import into the client-truststore.
keytool -importcert -alias -file
-keystore ${IS_HOME}/repository/resources/security/client-truststore.jks
-storepass wso2carbon -noprompt
Restart the server.
You can refer this blog.
Hope this will resolve your issue
Getting below error in my spring mvc web app:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
when tried to ping the metadate hostname its connected,but on doing
curl https://abc/xyz/idp/metadata
got this error===
curl: (56) Received HTTP code 403 from proxy after CONNECT.
I have added the samlkeystore.jks file in security folder in classpath in securityContext.xml. And made the jks using keystore explorer tool. But this error is still being faced. My securityContext.xml is configured as in the sample saml document. is any this else for a https connection required?
Can somebody guide with the root cause?
I would like to put a XAdES-T signature on an XML file using xades4j. My application works if the timestamp provider is listening on an HTTP URI (e.g. http://tsa.starfieldtech.com/), but I get error messages (s. later) if the timestamp provider needs SSL connection (e.g. https://tsa.hiteles.gov.hu/ts).
How should I adjust my code? I have got an SSL certificate from the timestamp provider but I don't know how to use it...
Stacktrace with error details:
Exception in thread "main" xades4j.production.PropertyDataGenerationException: Property data generation failed for SignatureTimeStamp: cannot get a time-stamp
at xades4j.production.DataGenBaseTimeStamp.generatePropertyData(DataGenBaseTimeStamp.java:75)
at xades4j.production.PropertiesDataObjectsGeneratorImpl.doGenPropsData(PropertiesDataObjectsGeneratorImpl.java:86)
at xades4j.production.PropertiesDataObjectsGeneratorImpl.genPropsData(PropertiesDataObjectsGeneratorImpl.java:72)
at xades4j.production.PropertiesDataObjectsGeneratorImpl.generateUnsignedPropertiesData(PropertiesDataObjectsGeneratorImpl.java:64)
at xades4j.production.SignerBES.sign(SignerBES.java:275)
at xades4j.production.SignerBES.sign(SignerBES.java:122)
at xades4j.production.Enveloped.sign(Enveloped.java:68)
at hu.nisz.eszig.util.XadesTSigner.signXml(XadesTSigner.java:82)
at hu.nisz.eszig.util.test.XadesTTest.testXadesTSignAndCheckSign(XadesTTest.java:37)
at hu.nisz.eszig.util.test.XadesTTest.testTesztTankiadoWithStarfield(XadesTTest.java:28)
at hu.nisz.eszig.util.test.XadesTTest.main(XadesTTest.java:16)
Caused by: xades4j.providers.TimeStampTokenGenerationException: Error when connecting to the TSA
at xades4j.providers.impl.DefaultTimeStampTokenProvider.getResponse(DefaultTimeStampTokenProvider.java:152)
at xades4j.providers.impl.DefaultTimeStampTokenProvider.getTimeStampToken(DefaultTimeStampTokenProvider.java:102)
at xades4j.production.DataGenBaseTimeStamp.generatePropertyData(DataGenBaseTimeStamp.java:60)
... 10 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at xades4j.providers.impl.DefaultTimeStampTokenProvider.getResponse(DefaultTimeStampTokenProvider.java:138)
... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 31 more
EDIT 1:
After I have put
System.setProperty("javax.net.debug", "all");
into my code I get a lot of debug message ending like this:
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E .......
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
EDIT 2:
I have managed to go further by putting the certificates into a truststore but I still have problems with the handshake. I seems to me my client cannot send the server an appropriate certificate:
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
...
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
I have finally manage to solve my problem based on this: why doesn't java send the client certificate during SSL handshake?
To achieve this I needed a truststore (truststore2.jks) containing the server's certificate chain and a keystore (govca_ssl_2.pfx) containing the client's certificate and the private key.
I'm trying to use SQL developer, but it won't connect using the proxy I specify in the preferences. I guess it's because of some kind of certificate error? Not sure. I'm getting the error:
No HTTP response received.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
at oracle.ide.webbrowser.HttpPing$PingRunnable.run(HttpPing.java:109)
at oracle.ide.webbrowser.ProxyOptions.doTask(ProxyOptions.java:522)
at oracle.ide.webbrowser.HttpPing.ping(HttpPing.java:74)
at oracle.ide.webbrowser.ProxySettingsPanel$5.run(ProxySettingsPanel.java:766)
at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 15 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 21 more
This most likely means that the web server you are connecting to by SSL uses a certificate issued by an unknown authority. You want to add the certificate to your keystore (on the client).
See this article for instructions.
I think you don't install jdk yet. I recommand you if you use sql developer 1.5.1, you should use jdk 1.5.
One of the first rules of debugging errors: Google the error message you're getting, in quotes, like this: "unable to find valid certification path to". When I did this, I found lots of useful information that is probably relevant to you.