I’m running working Keycloak 7 based system with everything working ok. Now updateing to Keycloak 12 and to keycloak container I have problem with SSL cert.
I have wildcard cert *.example.com and I have mounted that to container like described in the docs to /etc/x509/https/tls.crt and tls.key. I’m running in OpenShift and i have created route keycloak-dev.example.com and route has security traffic set to passthru. Do router doesn’t do anything. Cert is installed fine and when connecting with browser everything looks good.
But when I use java adapter or wildfly adapter I get following.
12:27:23,664 WARN [org.keycloak.adapters.KeycloakDeployment] (default task-1) Failed to load URLs from …/auth/realms/myrealm/.well-known/openid-configuration: (…/realms/myrealm/.well-known/openid-configuration:) javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
It seems that java is not trusting to Cert for GoDaddy. I disable host verification it works, but I would rather not to do that in production. I have mounted godaddy CA to the container and added X509_CA_BUNDLE env with value pointing to that ca file.
When I use openssl to check cert
openssl s_client -connect host:443
depth=0 C = US, ST = North Carolina, L = Raleigh, O = “Red Hat, Inc.”, OU = RHC Cloud Operations, CN = *.e4ff.pro-eu-west-1.openshiftapps.com
And that is common ingress cert fo OpenShift online, not the one that I have added keycloak.
When running curl with -vvvv I get correct cert CN
Trying to figure out what I 'm doing wrong
Based on log outout keystore is create correctly when KC starts
Creating HTTPS keystore via OpenShift’s service serving x509 certificate secrets…
HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks
Creating Keycloak truststore…
Keycloak truststore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks
Warning: use -cacerts option to access cacerts keystore
Importing certificates from system’s Java CA certificate bundle into Keycloak truststore…
Successfully imported certificates from system’s Java CA certificate bundle into Keycloak truststore at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks