PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Hi,

I am using the Keycloak on Openshift, I installed using the 8.0.2 version of the operator, stood up a an example instance, created a client, all that is good.

I also have spring boot based java application that I am trying to secure using this Keycloak instance, I have configured Keycloak adapter that runs fine when I am using the with Keycloak with non-secure endpoint like Http, however when I use the Https endpoint that by created by default by the Openshift router, then run into below issues. I have used Postman to get a AccessToken, then when request to myservice is sent with JWT, when my service tries to validate it I am seeing following error in the logs

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) ~[na:na]
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290) ~[na:na]
	at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625) ~[na:na]
	... 111 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ~[na:na]

full log is here https://gist.github.com/rareddy/86f2ed6008f5fdd1f0cdf3287b041a95, reading article here
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html it says I am missing some public certs or trust store?

Can someone help give me a hint how can I fix this?

Thanks

Ramesh…

Hi,

Looks like you should configure a truststore in your configuration (application.properties or keycloak.json) so that you can pass cert and hostname verification.

You may also try to use the disable-trust-manager option to check in advance if that will be enough. Just make sure to enable it again otherwise your application won’t be validating certs properly when connecting through HTTPS.

See https://www.keycloak.org/docs/latest/securing_apps/#java-adapters.

Regards.
Pedro Igor

Pedro,

For configuring the truststore, does the Keycloak use the “OpenShift” service generated certificate? and/or is there a specific secret it is looking at for any custom certificates? I need to be able to weave this into the Teiid Operator based operand.

Ramesh…

Pedro,

After I imported the public certificate into a trust store and configured the keycloak properties I see
javax.net.ssl.SSLException: Certificate for <keycloak-demo.apps-crc.testing> doesn't match any of the subject alternative names: [keycloak.demo.svc, keycloak.demo.svc.cluster.local]
Can you suggest what I may be doing wrong?

Ramesh…

how is this issue fixed? similar error while configuring ldap in keycloak.

@rareddy were you able to solve it? Also how did you obtain the public certificates?

Hello @pedroigor ,
Hope you doing great.
I am pretty new to Keycloak and I have similar issue.
on my application properties I have added like

spring.security.oauth2.resourceserver.jwt.jwk-set-uri = https://localhost:8443/auth/realms/appsdeveloperblog/protocol/openid-connect/certs

But Still I getting below error.

org.springframework.security.authentication.AuthenticationServiceException: An error occurred while attempting to decode the Jwt: Couldn’t retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://localhost:8443/auth/realms/appsdeveloperblog/protocol/openid-connect/certs”: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Can you please let me know what could be wrong?.

Regards,
Suresh