TLS / SSL configuration within Kubernetes cluster

Hi together,

I’m getting following error as soon as I try to request a resource from keycloak via spring boot.

Failed to load URLs from https://keycloak.myDomain/auth/realms/myRealm/.well-known/openid-configuration PKIX path building failed: unable to find valid certification path to requested target

I’m running Keycloak within a Kubernetes cluster which is managed by rancher.
I’m using the codecentric helm chart to deploy Keycloak.

This error, which I mentioned above, is not happening, as soon as I use
keycloak.disable-trust-manager=true in my spring file.
That lead me to believe it is a issue with tls /ssl.

Here is my keycloak helm chart values:

 - hosts:
  - keycloak.myDomain
 secretName: "k8s-secret"

Here is my spring boot file:


I provide a certificate via the cert-manager within rancher for my keycloak.myDomain, to make sure this domain has https.

I read a lot of things about the Truststore to enable ssl for keycloak. My question is now, didn’t I do this already when I added the tls section to my values.yaml?
Or the other question would be, why is the cert which I created from my cert-manager not working?

Thanks for your explanations.

Best Regards

maybe it is just a formatting issue, but secretName should be in the same column as
Is there a certificate under “Secrets” in Rancher that was created from cert-manager for your domain?


yes this is just a formatting issue in this thread here, in my setup it’s correct.

I checked the certificate, and I have a certificate for

This error messages appears, when I have my spring backend running locally. And this local spring backend tries to connect with the server keycloak.

Since the error messages states: unable to find valid certification path to requested target, does target mean my local setup?

Best Regards

Does anyone have any more tips?

In my experience, this message merely means that something is wrong with the certificate validation, it does not tell you what. Try to enable SSL debugging to help you pinpointing the source of the problem.

Very likely intermediate certificate(s) haven’t been added to the cert. Quite regular issue for beginners with Let’s Encrypt certs.

Try to test that https://keycloak.myDomain with

Wow, thank you very much :slight_smile:

With this debugging enabled, I’m seeing an error message :slight_smile:

%% Invalidated:  [Session-19, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown  

That looks like the issue I’m having.
But I’m not quite sure how this can happen.

when I use the SSL Lab test I get a rating of A+, that looks fine to me.

Then it looks like you don’t have a valid CA certificates available on your Java level. Make sure you have current CA certs installed (or managed but Rancher if it is possible).