javax.net.ssl.SSLHandshakeException when connecting keycloak to LDAP over SSL

I’m getting javax.net.ssl.SSLHandshakeException when I’m testing my ldap connection authentication. There’s no problem on testing the connection url but it is failing on testing authentication.

My dockerfile:

FROM quay.io/keycloak/keycloak:latest 

WORKDIR /opt/jboss/keycloak

COPY rootca.cer /opt/jboss/keycloak/standalone/configuration/ldap.cer
USER root
# RUN keytool -import -alias ldapcert -file /opt/jboss/keycloak/standalone/configuration/ldap.cer -keystore /lib/jvm/jre-17/lib/security/cacerts -storepass dummypassword-noprompt
RUN keytool -import -alias ldapcert -file /opt/jboss/keycloak/standalone/configuration/ldap.cer -keystore /opt/jboss/keycloak/standalone/configuration/key.jks -storepass dummypasword-noprompt



My docker compose:

 keycloak:
    container_name: keycloak
    build:
      context: .
      dockerfile: Dockerfile.keycloak
    command:
    - "start"
  
    restart: always
    environment:
      KC_DB: postgres
      KC_DB_URL_HOST: postgres
      KC_DB_URL_DATABASE: keycloak
      KC_DB_PASSWORD: dummy
      KC_DB_USERNAME: dummy
      KC_DB_SCHEMA: public
      KC_PROXY: passthrough
      KEYCLOAK_ADMIN_PASSWORD: dummy
      KEYCLOAK_ADMIN: dummy
      KC_HOSTNAME_STRICT_BACKCHANNEL: 'false'
      KC_HTTP_ENABLED: 'true'
      PROXY_ADDRESS_FORWARDING: 'true'
      KC_HOSTNAME_STRICT: 'false'
      KC_HOSTNAME_STRICT_HTTPS: 'false'
      KC_METRICS_ENABLED: 'true'
      KC_HTTP_PORT: 8890
      KC_HTTPS_KEY_STORE_FILE: /opt/jboss/keycloak/standalone/configuration/key.jks
      KC_HTTPS_KEY_STORE_PASSWORD: dummypassword
      KC_HTTPS_TRUST_STORE_FILE: /opt/jboss/keycloak/standalone/configuration/key.jks
      KC_HTTPS_TRUST_STORE_PASSWORD: dummypassword
    ports:
       - "8890:8890"
    depends_on:
      - postgres

It’s seems like the truststore it not being loaded,my keycloak server logs:

`2023-04-25 18:20:24,877 ERROR [org.keycloak.services] (executor-thread-7) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: dummyurl javax.naming.CommunicationException: simple bind failed: dummyurl [Root exception is javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake]`

`at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)`

`at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2896)`

`at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)`

`at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)`

`at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)`

`at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)`

`at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)`

`at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)`

`at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732)`

`at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)`

`at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)`

`at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)`

`at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.createLdapContext(LDAPContextManager.java:80)`

`at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.getLdapContext(LDAPContextManager.java:101)`

`at org.keycloak.services.managers.LDAPServerCapabilitiesManager.testLDAP(LDAPServerCapabilitiesManager.java:99)`

`at org.keycloak.services.resources.admin.TestLdapConnectionResource.testLDAPConnection(TestLdapConnectionResource.java:89)`

`at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)`

`at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)`

`at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)`

`at java.base/java.lang.reflect.Method.invoke(Method.java:568)`

`at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)`

`at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)`

`at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)`

`at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)`

`at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)`

`at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)`

`at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)`

`at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)`

`at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)`

`at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)`

`at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)`

`at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)`

`at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)`

`at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)`

`at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)`

`at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)`

`at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)`

`at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)`

`at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)`

`at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)`

`at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)`

`at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)`

`at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)`

`at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)`

`at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)`

`at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)`

`at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)`

`at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)`

`at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)`

`at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)`

`at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)`

`at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)`

`at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)`

`at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)`

`at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)`

`at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)`

`at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)`

`at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)`

`at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)`

`at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)`

`at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)`

`at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)`

`at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)`

`at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)`

`at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)`

`at java.base/java.lang.Thread.run(Thread.java:833)`

`Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake`

`at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1719)`

`at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1518)`

`at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)`

`at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)`

`at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:925)`

`at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1295)`

`at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)`

`at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)`

`at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:415)`

`at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:388)`

`at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)`

`at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)`

`... 65 more`

`Caused by: java.io.EOFException: SSL peer shut down incorrectly`

`at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:489)`

`at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)`

`at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)`

`at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)`

`at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)`

`... 75 more`2023-04-25 18:20:24,877 ERROR [org.keycloak.services] (executor-thread-7) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed:dummyurl javax.naming.CommunicationException: simple bind failed: dummyurl  [Root exception is javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake]

at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)

at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2896)

at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)

at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732)

at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)

at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)

at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)

at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.createLdapContext(LDAPContextManager.java:80)

at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.getLdapContext(LDAPContextManager.java:101)

at org.keycloak.services.managers.LDAPServerCapabilitiesManager.testLDAP(LDAPServerCapabilitiesManager.java:99)

at org.keycloak.services.resources.admin.TestLdapConnectionResource.testLDAPConnection(TestLdapConnectionResource.java:89)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:568)

at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)

at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)

at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)

at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)

at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)

at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)

at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)

at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)

at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)

at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)

at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)

at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)

at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)

at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)

at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)

at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)

at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)

at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)

at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)

at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)

at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)

at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)

at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)

at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)

at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)

at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)

at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)

at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)

at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)

at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)

at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)

at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)

at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)

at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)

at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)

at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)

at java.base/java.lang.Thread.run(Thread.java:833)

Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake

at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1719)

at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1518)

at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)

at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:925)

at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1295)

at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)

at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)

at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:415)

at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:388)

at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)

at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)

... 65 more

Caused by: java.io.EOFException: SSL peer shut down incorrectly

at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:489)

at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)

at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)

at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)

at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)

... 75 more

: