LDAPS Docker Container


I am trying to configure a User Federation using LDAPS with my Active Directory provider. I am using Keycloak in a Docker Container. When I try to authenticate I get the following error:

ERROR [org.keycloak.services] (default task-2) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: MY_SERVER:636: javax.naming.CommunicationException: simple bind failed: MY_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

I spoke to my Active Directory Provider and got 3 .cer files as certificates. They told me all 3 are necessary. But now I am unsure on how I should use them.

In the Keycloak Forum (here) I found that I should configure the X509_CA_BUNDLE enviroment variable to be /var/run/secrets/kubernetes.io/serviceaccount/ca.crt . I could convert my .cer files to .crt files and copy them in that directory when creating the container, but this solution only works for one certificate if I am not mistaken.

How should I approach this?

Solved it by combining all the certificates into a .crt like shown here and then importing it like stated in the Keycloak Documentation.

Hi @jominga

I’m facing the same problem right now and I can’t figure out what to do using the official Keycloak documentation.

Using Docker-Compose I assume I have to simple mount the new Cert file into the container at the right place. The path you mentioned (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt) doesn’t exist in my running container!?!?

Do you have any hint?



Even if the path does not exist you can create it when specifying your volume in the docker-compose file.


version: "2.4"
    image: nginx:alpine
      - "80:80"
      - type: bind
        source: ./pathToCert
        target: /var/run/secrets/kubernetes.io/serviceaccount



See Compose file version 2 reference | Docker Documentation


Right now I just did:

keytool -import -trustcacerts -alias MYALAIS -file ./certs/myadcert.cer -keystore ./certs/cacerts

mount self created Java Cert Store with own Root CA cert from Active Directory

  - ./certs/cacerts:/etc/pki/java/cacerts

This works for me as I only need this single cert in the keystore.

I tried this approach, but I’m running into this error:

ERROR [org.keycloak.services] (default task-4) KC-SERVICES0055: 
Error when authenticating to LDAP: 
simple bind failed: <ldap-server-hostname>:636: 
simple bind failed: <ldap-server-hostname>:636 [Root exception is 
javax.net.ssl.SSLException: Unexpected error: 
the trustAnchors parameter must be non-empty]

Not sure on how to troubleshoot this. May be due to an incorrect password to the keystore? What should the password be?