i try to manage my keycloak server with kcadm. The server is reachable via its public address “keycloak.” and i can add realms/users/… within the web interface. This external address is routed via a nginx reverse proxy. THe nginx server points to the internal servername (srv108.) and port (customized to 30110).
Now i try to manage the keycloak server from local. I login to the server, go to …/bin and call kcadm.sh as shown below: ./kcadm.sh config credentials --server https://172.6.66.108:30110/auth --realm master --user admin --password mypwd
When i try to call this, i get the following error message:
Failed to send request - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What i have to do, to solve this error (i am new to keycloak)?
because this is a testserver, the certificate is a self-signed one. As a result i got the message “Failed to send request - Certificate for <172.6.66.108> doesn’t match any of the subject alternative names: []”
I definitivly understand why this happen, but what can i do to solve that? Is there a switch to disable ssl temporarly? How i have to customize the certificate?
i tried to change the alternative name to IP now, but no change. When running openssl x509 -text -noout -in /home/appuser/data/certificates/cer.pem i get the following output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:4c:66:d4:7c:03:98:36:bb:89:c1:a8:be:fa:24:95:d1:dd:fb:aa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = BAVARIAN, L = HOERGERTSHAUSEN, O = LOCALDEV, CN = KEYCLOAK.FRICKELDAVE.MAGIC
Validity
Not Before: Mar 27 15:02:51 2020 GMT
Not After : Mar 25 15:02:51 2030 GMT
Subject: C = DE, ST = BAVARIAN, L = HOERGERTSHAUSEN, O = LOCALDEV, CN = KEYCLOAK.FRICKELDAVE.MAGIC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:cb:3e:e7:08:e9:e7:ba:12:7c:bd:55:81:af:0c:
....
4c:85:29:ee:30:1b:64:0d:46:a1:a7:cd:cc:6a:68:
94:1f:c6:12:8a:68:21:d6:ea:02:77:9b:b5:62:63:
60:f7:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
68:8F:3C:65:5E:70:29:51:D9:FB:A1:B7:E2:B1:40:00:8E:1D:2D:6D
X509v3 Authority Key Identifier:
keyid:68:8F:3C:65:5E:70:29:51:D9:FB:A1:B7:E2:B1:40:00:8E:1D:2D:6D
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
IP Address:172.6.66.108
Signature Algorithm: sha256WithRSAEncryption
0b:3b:15:18:ad:c5:dc:81:94:c9:c6:72:6b:c9:3d:23:7a:2d:
....
01:cd:06:ba:65:39:34:42:8f:ae:4d:d6:e1:11:73:00:41:a2:
2a:5f:71:19:81:c0:70:6b
I think this looks good, but i get the same message as before, when trying to login with kcadm which says:
Failed to send request - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Sorry can’t help any further without seeing details of setup. You could try searching on “kcadm SunCertPathBuilderException” in Google and see if somebody struggled with the same. The first result I’ve got seems to be similar to your situation.
Good luck