2

In Keycloak server console > User Federation > Ldap

I successfully Test connection to Windows Active Directory server - Ok

But keep receive error message on Test Authentication

Server console output: ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have generated keystore.jks file with jdk keytool utility and try to put it in c:\Program Files\Java\jdk1.8.0_241\lib\security\cacerts\

But still, have the same error.

Any suggestion on what may cause this error and how to fix it?

AlexeiP
  • 581
  • 1
  • 10
  • 26
  • did you also put something in your generated `keystore.jks`? the cert of the ldap server maybe – Evil_skunk Apr 05 '21 at 19:34
  • " put something in your generated keystore.jks" I don't get it. I just generate keystore with >keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 365 -keysize 2048 – AlexeiP Apr 05 '21 at 20:11
  • most likely keycloak (java) is not trusting the external server (ssl certificate). try to import the external cert to your truststore https://stackoverflow.com/a/36427118/1578780 – Evil_skunk Apr 05 '21 at 20:26
  • What url I should open to get this certificate? Keycloak server or windows AD? – AlexeiP Apr 05 '21 at 20:36
  • What url I should open to get this certificate? Keycloak server? I've enable SSL in keycloak server by putting certificate to server's standalone/configuration folder. but clicking on lock icon in URL field I see the "certificate not trusted" and download it is disabled. – AlexeiP Apr 05 '21 at 20:52
  • Does this answer your question? ["PKIX path building failed" and "unable to find valid certification path to requested target"](https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ) – user207421 Oct 15 '21 at 03:07

1 Answers1

2

Here we all are, faced with figuring out this configuration ... again. Seems to change everytime I get to do it. Here are some learnings I'd like to pass along.

keycloak will not work with ldaps by default, the certificate authority public key must be added to the truststore.

  1. to get the public key, https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/export-root-certification-authority-certificate, run the following command on your windows ad server in a cmd shell (don't use powershell): certutil -ca.cert ca_name.cer
  2. now you have your ca public key in a DER formatted base64 text file, you need to load this into the keystore file on the keycloak server, but where is it? in the past default locations were used, then later you had to check the configuration file based on your installation type standalone.xml, standalone-ha.xml, or domain.xml ... here is a file with where to look in the configuration file: https://www.keycloak.org/docs/latest/server_admin/ . search for 'truststore'
  3. now, you were able to find the location of an existing keystore that was in the configuration file of your installation type, or added to your configuration file where the location is, and you can use the keytool utility to install the cert to your truststore using: keytool -import -file ca_name.cer -keystore path_to_keystore.jks

This has worked for me perfectly in the past, and though I didn't add a section to my configuration file yet, I have not yet had success and I think it may be that keycloak is now using a different jks file specified in the configuration file called https-keystore.jks. I can see the file but don't have the password to see if adding the cert there will get things working.

If I figure it out I'll try to remember to update this posting. In anycase, I'm working towards switching to a kubernetes style installation which has a technique to make this work correctly once and for all ... but, it doesn't. I currently have a ticket in for it and I suspect it used to work, but then something changed, and it broke there too ... just like the latest docker image which I'm currently using.

Here's hoping this configuration becomes a part of keycloak and not something left up to folks to figure out on their own as I believe this tends to push away potential Windows AD users. Good luck out there everyone.

karezza
  • 586
  • 5
  • 13