TLS / SSL configuration within Kubernetes cluster

Configuring the server
1

Hi together,

I’m getting following error as soon as I try to request a resource from keycloak via spring boot.

Failed to load URLs from https://keycloak.myDomain/auth/realms/myRealm/.well-known/openid-configuration

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I’m running Keycloak within a Kubernetes cluster which is managed by rancher.
I’m using the codecentric helm chart to deploy Keycloak.

This error, which I mentioned above, is not happening, as soon as I use
keycloak.disable-trust-manager=true in my spring application.properties file.
That lead me to believe it is a issue with tls /ssl.

Here is my keycloak helm chart values:

tls:
 - hosts:
  - keycloak.myDomain
 secretName: "k8s-secret"

Here is my spring boot applications.properties file:

keycloak.auth-server-url=https://keycloak.myDomain/auth
keycloak.ssl-required=external

I provide a certificate via the cert-manager within rancher for my keycloak.myDomain, to make sure this domain has https.

I read a lot of things about the Truststore to enable ssl for keycloak. My question is now, didn’t I do this already when I added the tls section to my values.yaml?
Or the other question would be, why is the cert which I created from my cert-manager not working?

Thanks for your explanations.

Best Regards
Johannes

2

Hello,
maybe it is just a formatting issue, but secretName should be in the same column as
hosts.
Is there a certificate under “Secrets” in Rancher that was created from cert-manager for your domain?
cheers

3

Hi,

yes this is just a formatting issue in this thread here, in my setup it’s correct.

I checked the certificate, and I have a certificate for keycloak.domain.de.

This error messages appears, when I have my spring backend running locally. And this local spring backend tries to connect with the server keycloak.

Since the error messages states: unable to find valid certification path to requested target, does target mean my local setup?

Best Regards

4

Does anyone have any more tips?

5

In my experience, this message merely means that something is wrong with the certificate validation, it does not tell you what. Try to enable SSL debugging to help you pinpointing the source of the problem.

6

Very likely intermediate certificate(s) haven’t been added to the cert. Quite regular issue for beginners with Let’s Encrypt certs.

Try to test that https://keycloak.myDomain with SSL Server Test (Powered by Qualys SSL Labs)

7

Wow, thank you very much :slight_smile:

With this debugging enabled, I’m seeing an error message :slight_smile:

%% Invalidated:  [Session-19, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown

That looks like the issue I’m having.
But I’m not quite sure how this can happen.

@jangaraj
when I use the SSL Lab test I get a rating of A+, that looks fine to me.

8

Then it looks like you don’t have a valid CA certificates available on your Java level. Make sure you have current CA certs installed (or managed but Rancher if it is possible).