Problems reading Certificate Chain PEM Headers

1

When I try to authenticate with OCSP turned on I am getting the following error message while reading the SSL_CLIENT_CERT_CHAIN headers.

2019-12-30 15:45:09,162 WARN [org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup] (default task-1) org.keycloak.common.util.PemException: org.keycloak.common.util.PemException: java.io.IOException: Bad Base64 input character decimal 40 in array position 0: java.security.GeneralSecurityException: org.keycloak.common.util.PemException: org.keycloak.common.util.PemException: java.io.IOException: Bad Base64 input character decimal 40 in array position 0

I can read the SSL_CLIENT_CERT no problem, but the SSL_CLIENT_CERT_CHAIN is giving me this error.

This is from my standalone.xml

        <spi name="x509cert-lookup">
            <default-provider>apache</default-provider>
            <provider name="apache" enabled="true">
            <properties>
                    <property name="sslClientCert" value="SSL_CLIENT_CERT"/>
                    <!-- property name="sslCertChainPrefix" value="CERT_CHAIN"/ -->
                    <property name="sslCertChainPrefix" value="SSL_CLIENT_CERT_CHAIN"/>
                    <property name="certificateChainLength" value="3"/>
            </properties>
            </provider>
        </spi>

Any idea how to get it to read the Certificate Chain PEM correctly?

1 Like
2

It seems that I am walking the exact path you walked last year - I always seem to find your post as I resolve my current problem. :slight_smile:

3

We are seeing this same error message in our environment. Were you able to find a solution to your issue? Was the SSL_CLIENT_CERT_CHAIN not being passed in the http header information or did you find something else was causing this issue?

4

Following up on this - the problem in our environment was that the proxy was not requiring the client certificate for the request and that why Keycloak was not receiving the information.