Problem with HTTPS, Wildfly and Java adapters not trusting the Keycloak server

I’m running working Keycloak 7 based system with everything working ok. Now updateing to Keycloak 12 and to keycloak container I have problem with SSL cert.

I have wildcard cert * and I have mounted that to container like described in the docs to /etc/x509/https/tls.crt and tls.key. I’m running in OpenShift and i have created route and route has security traffic set to passthru. Do router doesn’t do anything. Cert is installed fine and when connecting with browser everything looks good.

But when I use java adapter or wildfly adapter I get following.

12:27:23,664 WARN [org.keycloak.adapters.KeycloakDeployment] (default task-1) Failed to load URLs from …/auth/realms/myrealm/.well-known/openid-configuration: (…/realms/myrealm/.well-known/openid-configuration:) PKIX path building failed: unable to find valid certification path to requested target.

It seems that java is not trusting to Cert for GoDaddy. I disable host verification it works, but I would rather not to do that in production. I have mounted godaddy CA to the container and added X509_CA_BUNDLE env with value pointing to that ca file.

When I use openssl to check cert

openssl s_client -connect host:443

I get

depth=0 C = US, ST = North Carolina, L = Raleigh, O = “Red Hat, Inc.”, OU = RHC Cloud Operations, CN = *

And that is common ingress cert fo OpenShift online, not the one that I have added keycloak.

When running curl with -vvvv I get correct cert CN

Trying to figure out what I 'm doing wrong

Based on log outout keystore is create correctly when KC starts

Creating HTTPS keystore via OpenShift’s service serving x509 certificate secrets…
HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks
Creating Keycloak truststore…
Keycloak truststore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks
Warning: use -cacerts option to access cacerts keystore
Importing certificates from system’s Java CA certificate bundle into Keycloak truststore…
Successfully imported certificates from system’s Java CA certificate bundle into Keycloak truststore at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks

Hi @tahonen have you solved this issue? I am having this same problem.

Actually not, I hit weird DNS errors and everything broke. I did rollback to KC 7, Now just week ago updated to KC 15.0.2 and that seems to work ok.

1 Like