Certificate issues running Keycloak in Docker

[Ronnehag]

Describe the bug I'm running KeyCloak as a docker container and have issues getting the plugin to work. It loads the plugin as expected, but gets SSL certificate errors trying to communicate with BankID.

Environment:

• OS: Windows
• Browser Chrome
• Keycloak version: 26.0.0
• Version of BankID 4 Keycloak: 25.0.0
• BankId Client: Desktop

Additional context

Here is the sample docker image:

FROM quay.io/keycloak/keycloak:26.0.0 AS builder
ENV KC_DB=mssql

COPY bankid4keycloak.jar /opt/keycloak/providers
COPY FPTestcert5_20240610.p12 /opt/keycloak/tls/bankid.p12

COPY FPTestcert5_20240610.pem .
RUN keytool -importcert -file FPTestcert5_20240610.pem -storepass qwerty123 -alias "BankID Test CA" -trustcacerts -storetype pkcs12 -keystore /opt/keycloak/conf/truststores/truststore.p12 -noprompt -v

WORKDIR /opt/keycloak
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:26.0.0
COPY --from=builder /opt/keycloak/ /opt/keycloak/
COPY /mytheme /opt/keycloak/themes/mytheme

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

I initially ran the keytool command without -storepass as describeb in README. This didn't work as the file was protected by password. I can see that that the files are created and copied to the right locations in the container image. I've also configured in admin with the updated paths and written as as described in README. I've verified that it can find the certificates.

I'm running the test environment in Azure on an Linux App Service, so the https is managed in Azure. For the docker image the --http-enabled=true is used.

Exception shown in the container:

2024-10-18T10:04:59.1411524Z 2024-10-18 10:04:59,140 WARN  [org.keycloak.cookie.DefaultCookieProvider] (executor-thread-1) Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests
2024-10-18T10:05:21.5191581Z 2024-10-18 10:05:21,518 WARN  [org.keycloak.cookie.DefaultCookieProvider] (executor-thread-2) Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests
2024-10-18T10:05:25.0401928Z 2024-10-18 10:05:25,039 WARN  [org.keycloak.cookie.DefaultCookieProvider] (executor-thread-2) Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests
2024-10-18T10:05:26.0354498Z 2024-10-18 10:05:26,035 WARN  [org.keycloak.cookie.DefaultCookieProvider] (executor-thread-2) Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests
2024-10-18T10:05:26.6266176Z 2024-10-18 10:05:26,625 ERROR [org.keycloak.broker.bankid.client.SimpleBankidClient] (executor-thread-2) Failed to send request to BankID: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-10-18T10:05:26.6266791Z    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
2024-10-18T10:05:26.6266838Z    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
2024-10-18T10:05:26.6266920Z    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
2024-10-18T10:05:26.6266949Z    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
2024-10-18T10:05:26.6266978Z    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1318)
2024-10-18T10:05:26.6267007Z    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1195)
2024-10-18T10:05:26.6267037Z    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1138)
2024-10-18T10:05:26.6267065Z    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
2024-10-18T10:05:26.6267092Z    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
2024-10-18T10:05:26.6267118Z    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
2024-10-18T10:05:26.6267160Z    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
2024-10-18T10:05:26.6267189Z    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
2024-10-18T10:05:26.6267215Z    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
2024-10-18T10:05:26.6267242Z    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
2024-10-18T10:05:26.6267269Z    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
2024-10-18T10:05:26.6267296Z    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
2024-10-18T10:05:26.6267324Z    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
2024-10-18T10:05:26.6267351Z    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
2024-10-18T10:05:26.6267398Z    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
2024-10-18T10:05:26.6267429Z    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
2024-10-18T10:05:26.6267455Z    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
2024-10-18T10:05:26.6267480Z    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
2024-10-18T10:05:26.6267505Z    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
2024-10-18T10:05:26.6267530Z    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
2024-10-18T10:05:26.6267557Z    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
2024-10-18T10:05:26.6267583Z    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
2024-10-18T10:05:26.6267626Z    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
2024-10-18T10:05:26.6267654Z    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
2024-10-18T10:05:26.6267680Z    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
2024-10-18T10:05:26.6267707Z    at org.keycloak.broker.bankid.client.SimpleBankidClient.sendRequest(SimpleBankidClient.java:91)
2024-10-18T10:05:26.6267733Z    at org.keycloak.broker.bankid.client.SimpleBankidClient.sendAuth(SimpleBankidClient.java:47)
2024-10-18T10:05:26.6267758Z    at org.keycloak.broker.bankid.BankidEndpoint.doLogin(BankidEndpoint.java:109)
2024-10-18T10:05:26.6267815Z    at org.keycloak.broker.bankid.BankidEndpoint.start(BankidEndpoint.java:88)
2024-10-18T10:05:26.6267863Z    at org.keycloak.broker.bankid.BankidEndpoint$quarkusrestinvoker$start_e0e4c6a15929b10e63afcdbe4483370874bdf21a.invoke(Unknown Source)
2024-10-18T10:05:26.6267890Z    at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
2024-10-18T10:05:26.6267921Z    at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
2024-10-18T10:05:26.6267949Z    at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
2024-10-18T10:05:26.6267975Z    at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
2024-10-18T10:05:26.6268020Z    at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
2024-10-18T10:05:26.6268049Z    at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
2024-10-18T10:05:26.6268258Z    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
2024-10-18T10:05:26.6268290Z    at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
2024-10-18T10:05:26.6268317Z    at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
2024-10-18T10:05:26.6268344Z    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
2024-10-18T10:05:26.6268369Z    at java.base/java.lang.Thread.run(Thread.java:1583)
2024-10-18T10:05:26.6268403Z Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-10-18T10:05:26.6268448Z    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
2024-10-18T10:05:26.6268475Z    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
2024-10-18T10:05:26.6268500Z    at java.base/sun.security.validator.Validator.validate(Validator.java:256)
2024-10-18T10:05:26.6268527Z    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
2024-10-18T10:05:26.6268555Z    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
2024-10-18T10:05:26.6268582Z    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1302)
2024-10-18T10:05:26.6268612Z    ... 40 more
2024-10-18T10:05:26.6268640Z Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-10-18T10:05:26.6268685Z    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
2024-10-18T10:05:26.6268714Z    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
2024-10-18T10:05:26.6268740Z    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
2024-10-18T10:05:26.6268798Z    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
2024-10-18T10:05:26.6268823Z    ... 45 more

This is what's described in the official docs. I assume it may has issues trusting the certificate because it's password protected?

The existing Java default truststore certs will always be trusted. If you need additional certificates, which will be the case if you have self-signed or internal certificate authorities that are not recognized by the JRE, they can be included in the conf/truststores directory or subdirectories. The certs may be in PEM files, or PKCS12 files with extension .p12 or .pfx. If in PKCS12, the certs must be unencrypted - meaning no password is expected https://www.keycloak.org/server/keycloak-truststore

[Ronnehag]

Update, think I have managed to get it working now. I will update with details later if anyone runs into the same problem.

Edit: Got it working by using version 25.0.0 of Keycloak. Is there any plan to support 26.0.0 anytime soon? Seems to work by just changing the pom.xml element to 26.0.0. But not sure if there is anything else that also needs to be upgraded in the package?