I am using the Keycloak on Openshift, I installed using the 8.0.2 version of the operator, stood up a an example instance, created a client, all that is good.
I also have spring boot based java application that I am trying to secure using this Keycloak instance, I have configured Keycloak adapter that runs fine when I am using the with Keycloak with non-secure endpoint like Http, however when I use the Https endpoint that by created by default by the Openshift router, then run into below issues. I have used Postman to get a AccessToken, then when request to myservice is sent with JWT, when my service tries to validate it I am seeing following error in the logs
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290) ~[na:na]
at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625) ~[na:na]
... 111 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ~[na:na]
Looks like you should configure a truststore in your configuration (application.properties or keycloak.json) so that you can pass cert and hostname verification.
You may also try to use the disable-trust-manager option to check in advance if that will be enough. Just make sure to enable it again otherwise your application won’t be validating certs properly when connecting through HTTPS.
For configuring the truststore, does the Keycloak use the “OpenShift” service generated certificate? and/or is there a specific secret it is looking at for any custom certificates? I need to be able to weave this into the Teiid Operator based operand.
After I imported the public certificate into a trust store and configured the keycloak properties I see javax.net.ssl.SSLException: Certificate for <keycloak-demo.apps-crc.testing> doesn't match any of the subject alternative names: [keycloak.demo.svc, keycloak.demo.svc.cluster.local]
Can you suggest what I may be doing wrong?
org.springframework.security.authentication.AuthenticationServiceException: An error occurred while attempting to decode the Jwt: Couldn’t retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://localhost:8443/auth/realms/appsdeveloperblog/protocol/openid-connect/certs”: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hi, did you manage out this error ? I am facing the same issue. Using a valid web certificate but still getting error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hi I’m calling https call from pod getting below error . can you please provide me solution what exactly im doing wrong
hile attempting to decode the Jwt: Couldn’t retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://keycloak.keycloak:8443/auth/realms/snow/protocol/openid-connect/certs\": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\r\n\tat org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.getJwt(JwtAuthenticationProvider.java:103)\r\n\tat org