Kcadm not working (SunCertPathBuilderException)

Configuring the server
1

Hi,

i try to manage my keycloak server with kcadm. The server is reachable via its public address “keycloak.” and i can add realms/users/… within the web interface. This external address is routed via a nginx reverse proxy. THe nginx server points to the internal servername (srv108.) and port (customized to 30110).
Now i try to manage the keycloak server from local. I login to the server, go to …/bin and call kcadm.sh as shown below:
./kcadm.sh config credentials --server https://172.6.66.108:30110/auth --realm master --user admin --password mypwd

When i try to call this, i get the following error message:

Failed to send request - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What i have to do, to solve this error (i am new to keycloak)?

Regards

Dave

2

i tried to run the following command to add the certificate used currently by the server:

./kcadm.sh config truststore --trustpass pwd /home/appuser/data/certificates/keycloak_keystore.jks

because this is a testserver, the certificate is a self-signed one. As a result i got the message “Failed to send request - Certificate for <172.6.66.108> doesn’t match any of the subject alternative names: []

I definitivly understand why this happen, but what can i do to solve that? Is there a switch to disable ssl temporarly? How i have to customize the certificate?

Regards

Dave

3

How did you create your certificate? Did you add 172.6.66.108 as alternative subject name with the -ext param?

4

Hi,

thank you for the response. I created the certificate now with following commands:

openssl req -x509 -newkey rsa:4096 -keyout /home/appuser/data/certificates/key.pem -out /home/appuser/data/certificates/cer.pem -days ${CRT_VALIDITY} -nodes -subj "${SSLSUBJECT}" -addext "subjectAltName = DNS:${CRT_ALTNAME}"

openssl pkcs12 -export -in /home/appuser/data/certificates/cer.pem -inkey /home/appuser/data/certificates/key.pem -out /home/appuser/data/certificates/keycloak.p12 -passout pass:${KC_CERTPWD}

keytool -importkeystore -noprompt -deststorepass ${KC_CERTPWD} -destkeypass ${KC_CERTPWD} -destkeystore /home/appuser/data/certificates/keycloak_keystore.jks -srckeystore /home/appuser/data/certificates/keycloak.p12 -srcstoretype PKCS12 -srcstorepass ${KC_CERTPWD} -deststoretype pkcs12

When i run openssl x509 -text -noout -in /home/appuser/data/certificates/cer.pem

i see the following result

    X509v3 Subject Alternative Name:
        DNS:172.6.66.108

in standalone.xml i added the following content.

<security-realm name="FrickeldaveRealm">
                <server-identities>
                    <ssl>
                        <keystore path="/home/appuser/data/certificates/keycloak_keystore.jks" keystore-password="#KC_CERTPWD#" />
                    </ssl>
                </server-identities>
            </security-realm>

Did i something wrong?

Regards

Dave

5

Try replacing DNS with IP
You can add multiple entries if you want like DNS:keycloak.domain.com,IP:172.6.66.108

6

Hi,

i tried to change the alternative name to IP now, but no change. When running openssl x509 -text -noout -in /home/appuser/data/certificates/cer.pem i get the following output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            47:4c:66:d4:7c:03:98:36:bb:89:c1:a8:be:fa:24:95:d1:dd:fb:aa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = BAVARIAN, L = HOERGERTSHAUSEN, O = LOCALDEV, CN = KEYCLOAK.FRICKELDAVE.MAGIC
        Validity
            Not Before: Mar 27 15:02:51 2020 GMT
            Not After : Mar 25 15:02:51 2030 GMT
        Subject: C = DE, ST = BAVARIAN, L = HOERGERTSHAUSEN, O = LOCALDEV, CN = KEYCLOAK.FRICKELDAVE.MAGIC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:cb:3e:e7:08:e9:e7:ba:12:7c:bd:55:81:af:0c:
                     ....
                    4c:85:29:ee:30:1b:64:0d:46:a1:a7:cd:cc:6a:68:
                    94:1f:c6:12:8a:68:21:d6:ea:02:77:9b:b5:62:63:
                    60:f7:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                68:8F:3C:65:5E:70:29:51:D9:FB:A1:B7:E2:B1:40:00:8E:1D:2D:6D
            X509v3 Authority Key Identifier:
                keyid:68:8F:3C:65:5E:70:29:51:D9:FB:A1:B7:E2:B1:40:00:8E:1D:2D:6D

        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Subject Alternative Name:
            IP Address:172.6.66.108
Signature Algorithm: sha256WithRSAEncryption
     0b:3b:15:18:ad:c5:dc:81:94:c9:c6:72:6b:c9:3d:23:7a:2d:
      ....
     01:cd:06:ba:65:39:34:42:8f:ae:4d:d6:e1:11:73:00:41:a2:
     2a:5f:71:19:81:c0:70:6b

I think this looks good, but i get the same message as before, when trying to login with kcadm which says:

Failed to send request - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Any other idea?

Regards

Dave

7

Sorry can’t help any further without seeing details of setup. You could try searching on “kcadm SunCertPathBuilderException” in Google and see if somebody struggled with the same. The first result I’ve got seems to be similar to your situation.
Good luck

8

It was my fault. In the second try i forgot to add the truststore with

./kcadm.sh config truststore --trustpass pwd /home/appuser/data/certificates/keycloak_keystore.jks

With this command and the alternative name pointing to “IP” its working now.

Thanks a lot