MS SQL Server trustServerCertificate property not working

jasonh · June 12, 2023, 3:20am

I’m trying to setup keycloak 21.1.1 with an MS SQL Server database but keep receiving this error:

2023-06-12 02:56:06,791 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2023-06-12 02:56:06,791 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". ClientConnectionId:2ba75e50-05fb-46ab-a2fa-e72cf7198e3b

MS SQL Server is using a self-signed certificate and so I need to either pass “trustServerCertificate=true;” or “encrypt=false;” to connection string. I’ve tried passing one or both of these parameters a variety of ways but none of them are taking effect:

Setting additional properties: --db-url-properties="trustServerCertificate=true;" (I have tried it with and without quotes, with and without the semicolon at the end)
Specifying the whole JDBC url: --db-url jdbc:sqlserver://127.0.0.1:1433;userName=sa;password=Testing1234;trustServerCertificate=true;
Setting environment variable JDBC_PARAMS="trustServerCertificate=true;" (again, with and without quotes, and with and without the semicolon)
All of the above using "encrypt=false;" instead

Any ideas why I can’t get either of these parameters to work?

AScrofani · June 13, 2023, 1:21pm

Same issue here. I can start KC in production mode using the .conf file with the full JDBC url string but i cant make it work with “kc start” and passing the JDBC parameters in the command. Documentation seems to be a bit short about this and already tried all of those combinations you mention.

matheusAMDS · November 13, 2023, 11:37am

Did any of you solve this problem? I’m having the same problem here as well

i_sophist · February 1, 2024, 7:53pm

I’ve been having the issue on Windows Server 2016. I found this previous fix from version 20. I added this is to my keycloak.conf file:

db-url-database=keycloak23
db-url-host=server.domain.org
db-url-port=1433
db-url-properties=";trustServerCertificate=true;encrypted=false"

After some trial and error, I’ve at least stopped receiving PKIX errors, but now I’m getting

2024-02-01 11:43:17,020 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-02-01 11:43:18,829 WARN  [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread) HHH000342: Could not obtain connection to query metadata: java.lang.NullPointerException: Cannot invoke "org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(java.sql.SQLException, String)" because the return value of "org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.sqlExceptionHelper()" is null
2024-02-01 11:43:24,611 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2024-02-01 11:43:24,611 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Acquisition timeout while waiting for new connection

So that’s…progress…?

Topic		Replies	Views
KeyCloak Microsoft SQL server connection error "KIX path building failed Exception" Configuring the server database	3	4216	September 27, 2022
How to setup Keycloak 20+ and MS-SQL Server Configuring the server	0	3485	December 31, 2022
Keycloak unable to connect to SQL Server running on Windows Configuring the server database	2	2771	April 20, 2021
Need help with MSSQL JDBC connectionstring Configuring the server	1	1739	January 16, 2023
Connect keycloak to LDAP over SSL Configuring the server ldap	20	28945	May 2, 2023

MS SQL Server trustServerCertificate property not working

Related Topics