Problem using KeyCloak: PKIX path building failed

[alessio-bernesco]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Hello,
i've added to the config file this:

server:
    ssl: 
     trust-store: file:/etc/certs/mytruststore.jks
     trust-store-password: mypassword

and mounted a volume with the truststore i'm still unable to start the docker image.

The related error is:

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://mykeycloakinstance:9443/auth/realms/myrealm/.well-known/openid-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:890)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:870)
        at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:715)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:163)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:216)
        ... 98 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
        at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:75)
        at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
        at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:66)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:864)
        ... 101 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
        ... 119 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 124 common frames omitted

The certificate added to the truststore is a self signed certificate, the same used to add https connection to KeyCloak.

How can i provide more insights?

Thanks,
Alessio

Expected behavior

No response

Your installation details

docker ghcr.io/kafbat/kafka-ui:latest

Steps to reproduce

create a folder with a custom truststore
mount the folder inside the docker at /etc/certs
modify the config.yaml file to use the custom truststore

Screenshots

No response

Logs

No response

Additional context

No response

[github-actions]

Hi alessio-bernesco! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[alessio-bernesco]

As i test I tried to import the self signed certificate directly into the main trust store, loggin as root into the running docker:

docker exec -u root -ti kafbat-ui sh

and then:

keytool -import -alias mydomain -file /etc/certs/mydomain.crt -keystore /usr/lib/jvm/default-jvm/lib/security/cacerts

This way everything works fine, so the cert itself seems correct.

Also as a test changing the custom truststore location or password, using non valid locations/password the startup fails, so the truststore is located and validated at startup.

[patsevanton]

same issue:
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://keycloak.corp/realms/xxxxx/.well-known/openid-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[Haarolean]

Most likely, server.ssl.trust-store doesn't affect the restclient built and used for oauth authentication.
We'll take a look, mewnahile, could you try to override it via this env var?

JAVA_OPTS="-Djavax.net.ssl.trustStore=/xxx/keycloak.jks -Djavax.net.ssl.trustStorePassword=123