search

instipod / DuoUniversalKeycloakAuthenticator

Keycloak Authenticator for Duo's new Universal Prompt
GNU General Public License v3.0
50 stars 16 forks source link

certificate_unknown / TLS Errors #19

Closed jlrcontegix closed 10 months ago

jlrcontegix commented 1 year ago

We have a working configuration but after some amount of uptime we start seeing certificate_unknown errors in the Keycloak logs and authentication in the browser fails.

The underlying error is Unable to build a CertPath: no PKIXBuilderParameters available

This may be a Keycloak or BounceCastle issue, but the only area where we see an issue when this error occurs is when logging into Keycloak using a flow that has Duo configured. Other flows which use authentication mechanisms that reach out to external sources using TLS still work, so seems limited to the Duo provider.

Restarting the application fixes the issue for some amount of time but seems to reappear daily.


Oct 25 14:30:22 hostname kc.sh[185929]: 2023-10-25 14:30:22,212 INFO  [org.bouncycastle.jsse.provider.ProvTlsClient] (executor-thread-302) [client #238 @3e2b2f98] raised fatal(2) certificate_unknown(46) alert: Failed to read record: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.checkServerTrusted(ProvSSLSocketWrap.java:131)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:377)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:4849)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:797)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsClientProtocol.receive13ServerCertificate(TlsClientProtocol.java:1596)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsClientProtocol.handle13HandshakeMessage(TlsClientProtocol.java:160)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:366)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:715)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:591)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.RecordStream.readRecord(RecordStream.java:247)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsProtocol.safeReadRecord(TlsProtocol.java:879)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsProtocol.blockForHandshake(TlsProtocol.java:427)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.tls.TlsClientProtocol.connect(TlsClientProtocol.java:88)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(ProvSSLSocketWrap.java:608)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(ProvSSLSocketWrap.java:584)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at okhttp3.RealCall.execute(RealCall.java:81)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at retrofit2.OkHttpCall.execute(OkHttpCall.java:204)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at com.duosecurity.service.DuoConnector.duoHealthcheck(DuoConnector.java:60)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at com.duosecurity.Client.healthCheck(Client.java:252)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at com.instipod.duouniversal.DuoUniversalAuthenticator.startDuoProcess(DuoUniversalAuthenticator.java:265)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at com.instipod.duouniversal.DuoUniversalAuthenticator.authenticate(DuoUniversalAuthenticator.java:200)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:445)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:249)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:380)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.continueAuthenticationAfterSuccessfulAction(DefaultAuthenticationFlow.java:181)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:157)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:986)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:378)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:349)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.authenticateInternal(LoginActionsService.java:341)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:322)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:406)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at jdk.internal.reflect.GeneratedMethodAccessor751.invoke(Unknown Source)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at java.base/java.lang.reflect.Method.invoke(Method.java:568)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:154)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:118)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:560)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:452)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:413)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:415)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:378)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:174)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:131)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:33)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:429)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:240)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:154)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:157)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:229)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:82)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:147)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:84)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:44)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.vertx.http.runtime.options.HttpServerCommonHandlers$1.handle(HttpServerCommonHandlers.java:58)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.vertx.http.runtime.options.HttpServerCommonHandlers$1.handle(HttpServerCommonHandlers.java:36)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at java.base/java.lang.Thread.run(Thread.java:833)
Oct 25 14:30:22 hostname kc.sh[185929]: Caused by: java.security.cert.CertificateException: Unable to build a CertPath: no PKIXBuilderParameters available
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(ProvX509TrustManager.java:270)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(ProvX509TrustManager.java:182)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.checkServerTrusted(ProvSSLSocketWrap.java:127)
Oct 25 14:30:22 hostname kc.sh[185929]: #011... 90 more
Oct 25 14:30:22 hostname kc.sh[185929]: 2023-10-25 14:30:22,213 INFO  [org.bouncycastle.jsse.provider.ProvTlsClient] (executor-thread-302) [client #238 @3e2b2f98] disconnected from api-da1c07d8.duosecurity.com:443
Oct 25 14:30:22 hostname kc.sh[185929]: 2023-10-25 14:30:22,213 WARN  [com.instipod.duouniversal.DuoUniversalAuthenticator] (executor-thread-302) Authentication against Duo failed with exception: com.duosecurity.exception.DuoException: certificate_unknown(46)
Oct 25 14:30:22 hostname kc.sh[185929]: 2023-10-25 14:30:22,213 WARN  [org.keycloak.services] (executor-thread-302) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:496)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:447)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:249)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:380)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.continueAuthenticationAfterSuccessfulAction(DefaultAuthenticationFlow.java:181)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:157)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:986)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:378)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:349)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.authenticateInternal(LoginActionsService.java:341)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:322)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:406)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at jdk.internal.reflect.GeneratedMethodAccessor751.invoke(Unknown Source)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at java.base/java.lang.reflect.Method.invoke(Method.java:568)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:154)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:118)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:560)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:452)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:413)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:415)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:378)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:174)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:131)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:33)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:429)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:240)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:154)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:321)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:157)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:229)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:82)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:147)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:84)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:44)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.vertx.http.runtime.options.HttpServerCommonHandlers$1.handle(HttpServerCommonHandlers.java:58)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.vertx.http.runtime.options.HttpServerCommonHandlers$1.handle(HttpServerCommonHandlers.java:36)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Oct 25 14:30:22 hostname kc.sh[185929]: #011at java.base/java.lang.Thread.run(Thread.java:833)
Oct 25 14:30:22 hostname kc.sh[185929]: 2023-10-25 14:30:22,221 WARN  [org.keycloak.events] (executor-thread-302) type=LOGIN_ERROR, realmId=realm, clientId=account-console, userId=null, ipAddress=XX.XX.XX.XX, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://oururl.com/realms/realm/account/#/, code_id=5b89410d-27e2-4404-a99d-b9abceb2d86c, username=user```
instipod commented 1 year ago

What version of JDK and Keycloak are you running on this server? Is is using the Keycloak docker container or a manual install?

jlrcontegix commented 1 year ago

Keycloak 22.0.5 with OpenJDK 17, Keycloak was installed manually.


openjdk 17.0.9 2023-10-17 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.9.0.9-1) (build 17.0.9+9-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.9.0.9-1) (build 17.0.9+9-LTS, mixed mode, sharing)
instipod commented 1 year ago

This is an error that I'm not sure about at first glance. It seems to be coming from the HTTP client inside the Duo SDK which this extension is using. certificate_unknown(46) leads me to believe that it cannot verify the SSL certificate of the Duo server, but I'm not sure what would cause a failure for just Duo, as you said other TLS requests are working when Duo starts to fail.

I'm running this extension in production on a server with >15 days uptime with hundreds of Duo authentications per hour so it must be related to some difference in our environments. My deployment is running using the quay container, which seems to contain a very similar version of Java so I don't think that is related.

Do you have anything in your environment that would be unusual TLS wise? (custom ca certificates installed, SSL inspecting proxy, etc?)