Hello,
I am trying to configure a User Federation using LDAPS with my Active Directory provider. I am using Keycloak in a Docker Container. When I try to authenticate I get the following error:
ERROR [org.keycloak.services] (default task-2) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: MY_SERVER:636: javax.naming.CommunicationException: simple bind failed: MY_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
I spoke to my Active Directory Provider and got 3 .cer files as certificates. They told me all 3 are necessary. But now I am unsure on how I should use them.
In the Keycloak Forum (here) I found that I should configure the X509_CA_BUNDLE
enviroment variable to be /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
. I could convert my .cer files to .crt files and copy them in that directory when creating the container, but this solution only works for one certificate if I am not mistaken.
How should I approach this?
Solved it by combining all the certificates into a .crt like shown here and then importing it like stated in the Keycloak Documentation.
Hi @jominga
I’m facing the same problem right now and I can’t figure out what to do using the official Keycloak documentation.
Using Docker-Compose I assume I have to simple mount the new Cert file into the container at the right place. The path you mentioned (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt) doesn’t exist in my running container!?!?
Do you have any hint?
Thx
Hello,
Even if the path does not exist you can create it when specifying your volume in the docker-compose file.
Example:
version: "2.4"
services:
web:
image: nginx:alpine
ports:
- "80:80"
volumes:
- type: bind
source: ./pathToCert
target: /var/run/secrets/kubernetes.io/serviceaccount
networks:
webnet:
volumes:
mydata:
See Compose file version 2 reference | Docker Documentation
Thx.
Right now I just did:
keytool -import -trustcacerts -alias MYALAIS -file ./certs/myadcert.cer -keystore ./certs/cacerts
mount self created Java Cert Store with own Root CA cert from Active Directory
volumes:
- ./certs/cacerts:/etc/pki/java/cacerts
This works for me as I only need this single cert in the keystore.
I tried this approach, but I’m running into this error:
ERROR [org.keycloak.services] (default task-4) KC-SERVICES0055:
Error when authenticating to LDAP:
simple bind failed: <ldap-server-hostname>:636:
javax.naming.CommunicationException:
simple bind failed: <ldap-server-hostname>:636 [Root exception is
javax.net.ssl.SSLException: Unexpected error:
java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-empty]
Not sure on how to troubleshoot this. May be due to an incorrect password to the keystore? What should the password be?