Unable to load a custom trust store
Summary
I am unable to load a custom trust store in to the keycloak container. I am attempting to use ldaps but it complains that the certificate is untrusted.
Steps to reproduce
Create a docker-compose.yml with the options -Djavax.net.ssl.trustStore
or TRUSTSTORE
and then try to connect to a ldaps server that isn't using a DoD signed root certificate.
What is the current bug behavior?
System comes back with;
[org.keycloak.truststore.SSLSocketFactory] (executor-thread-0) No truststore provider found - using default SSLSocketFactory
And then
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What is the expected correct behavior?
Connection to the ldaps server
Relevant logs and/or screenshots
docker-compose.yml lines
version: '3.7'
services:
keycloak: #auth
container_name: keycloak
environment:
- DB_VENDOR=POSTGRES
- DB_ADDR=postgres
- DB_DATABASE=keycloak
- DB_USER=keycloak
- DB_SCHEMA=public
- DB_PASSWORD=password
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=Pa55w0rd
- PROXY_ADDRESS_FORWARDING='true'
- JAVA_OPTS_APPEND="-Dcom.redhat.fips=false -Djavax.net.ssl.trustStore=/tmp/server.keystore -Djavax.net.ssl.trustStorePassword=changeit"
- EXTRA_CACERTS="/tmp/server.keystore"
- EXTRA_CACERTS_PASSWORD="changeit"
depends_on:
- postgres
logging:
driver: "json-file"
options:
max-size: "50m"
image: ironbank/opensource/keycloak/keycloak:18.0.0
networks:
- local-stigman
- external
command:
- start
- --auto-build
- --http-enabled=true
- --http-relative-path=/auth
- --hostname-strict-https=false
- --hostname-strict=false
- --proxy=edge
restart: always
volumes:
- ./rootCA.crt/:/etc/pki/ca-trust/source/anchors/rootca.pem:ro
- ./rootca.keystore:/tmp/server.keystore:rw
Defintion of Done
-
Bug has been identified and corrected within the container