search

sunmingtao / sample-code

3 stars 4 forks source link

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target #59

Closed sunmingtao closed 4 years ago

sunmingtao commented 4 years ago

Enter credentials on Keycloak login page Get error:

[qtp1308168281-38] ERROR org.keycloak.adapters.OAuthRequestAuthenticator - failed to turn code into token
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
      at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
      at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
      at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:553)
      at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
      at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
      at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
      at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
      at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
      at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
      at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
      at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
      at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)
      at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335)
      at org.keycloak.adapters.OAuthRequestAuthenticat
sunmingtao commented 4 years ago

This is because the JDK Key store doesn't have the certificate required by keycloak. Normally you shouldn't need to manually install the certificate as the latest JDK (even 8) contains such certificate. But some developer may be using a fairly old version of JDK 8 which doesn't include the certificate in question.

Tried various solutions suggested here https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ

I find the easiest solution is to replace the cacerts file, which is located at $JAVA_HOME/jre/lib/security, with a relatively new one.

To quickly test whether the new cert works, add VM args -Djavax.net.ssl.trustStore=path_to_new_cacert

How to find your cacerts file?

For java 8, it locates at /Library/Java/JavaVirtualMachines/jdk-11.0.4.jdk/Contents/Home/lib/security/cacerts For java 11, it locates at /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts