Keycloak LDAPS does not find valid certification path to requested target in Production

reddybhavaniprasad · February 6, 2023, 7:23am

I have deployed Keycloak 20 as a kubernetes pod and tried to synchronize all the users from LDAPS.
Below are the list of steps followed:

Created a truststore (truststore.jks) file using the root and domain certificates by running keytool command.

keytool -import -alias vxx.xxxxx.com -keystore /opt/keycloak/data/keystore/truststore.jks -file /opt/keycloak/data/keystore/domain.cer
keytool -import -alias root -keystore /opt/keycloak/data/keystore/truststore.jks -file /opt/keycloak/data/keystore/root.cer

Ran the kc.sh start script with the truststore (truststore.jks) file as mentioned in the official documentation,

bin/kc.sh start --spi-truststore-file-file=truststore.jks --spi-truststore-file-password=changeit --spi-truststore-file-hostname-verification-policy=ANY

NOTE: The above command is passed as arguments in the deployment.yaml. The truststore.jks and certificates are persisted in the persistent volume.
3. Now updated the User federation section of the Keycloak dashboard with all the details like the LDAPS endpoint, User DN, Bind DN and Bind Password.
4. After clicking the “Test Connection” button, it fails and prompts to check through the logs for test connection failure. The logs shows 2 to 3 types of errors as mentioned below

1. Could not negotiate TLS
[keycloak_ldaps_error.log](https://github.com/keycloak/keycloak/files/10330397/keycloak_ldaps_error.log)
[keycloak_ldaps_error.log](https://github.com/keycloak/keycloak/files/10330403/keycloak_ldaps_error.log)

2. PKIX path building failed. Unable to find valid certification path to requested target. (javax.namingCommunication Exception)
3. Connection or Outbound has closed.

NOTE: Repeated the step-2 with standard java truststore configuration,

keytool -import -alias vxx.xxxxx.com -keystore /etc/java/java-11-openjdk/java-11-openjdk-11.0.17.0.8-2.el8_6.x86_64/lib/security/cacerts -file /opt/keycloak/data/keystore/domain.cer
keytool -import -alias root -keystore /etc/java/java-11-openjdk/java-11-openjdk-11.0.17.0.8-2.el8_6.x86_64/lib/security/cacerts -file /opt/keycloak/data/keystore/root.cer

There are no issues with the certificates because the same LDAPS is properly integrated in another setup without keycloak and by using the same commercial certificates.

Please help me if there are any issues with the current procedure or anything is missing.

Topic		Replies	Views
Connect keycloak to LDAP over SSL Configuring the server ldap	21	34697	October 3, 2024
Truststore in KC 17 Quarkus for LDAPS/TLS Configuring the server	11	7353	April 26, 2023
LDAPS Test Authentication failing by using User Federation module in keycloak Getting advice authentication , ldap	0	404	November 25, 2022
Ldaps Configuration Error Configuring the server authentication , ldap	1	1443	February 9, 2022
TLS / SSL configuration within Kubernetes cluster Configuring the server	7	6741	December 30, 2020

Keycloak LDAPS does not find valid certification path to requested target in Production

Related topics