Certificate validation fails when trying to access ChurchTools API

[fschrempf]

I'm trying to set up the KC storage provider with our cloud-hosted CT, but I'm getting:

ERROR [de.canchanchara.keycloak.storage.ChurchToolsApi] (executor-thread-3) javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Which apparently means that Java fails to validate the SSL certificate chain for the server. I tried to setup the SPI truststore for KC and everything looks ok, but the error persists.

1. Any ideas how to debug?
2. Are you (@daniel-lerch, @canchanchara) running this against a local CT instance using HTTP or a remote one using HTTPS?

Thanks!

[canchanchara]

I'm using a cloud hosting instance. I do not have this error.

Can you describe what you did exactly to reproduce it?

[fschrempf]

Ok, thanks for the fast response. I'm pretty sure the issue is related to my setup and not to the storage provider plugin. I have the KC bitnami docker image (v22.0.5) running and followed the instructions in the README. Everything looks correct, I can set up the user federation, but I don't get any users and clients are not able to login due to the error mentioned above.

[canchanchara]

I'm using the manuell installtion method for keycloak https://www.keycloak.org/getting-started/getting-started-zip

Maybe is something in the docker container different

[daniel-lerch]

For Docker, I would recommend to use the official Keycloak image from quay.io/keycloak/keycloak

My docker-compose.yml with a MariaDB database to run Keycloak behind an NGINX reverse proxy reference. Note that an .env file is required in this case for environment variable place holders in the compose file:

docker-compose.yml

version: "2.1"

services:
  app:
    image: quay.io/keycloak/keycloak:22.0.3
    container_name: ${APP_CONTAINER_NAME}
    restart: unless-stopped

    command: |
      start \
      --db=mariadb \
      --db-url="jdbc:mariadb://db/${MARIADB_DATABASE}" \
      --db-username=${MARIADB_USER} \
      --db-password=${MARIADB_PASSWORD} \
      --proxy edge \
      --hostname-strict=false \
      --http-relative-path=/keycloak \
      --spi-storage-churchtools-user-storage-host=demo.church.tools \
      --spi-storage-churchtools-user-storage-login-token=your_login_token

    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin

    volumes:
      - ./user-storage-churchtools.jar:/opt/keycloak/providers/user-storage-churchtools.jar

    networks:
      - default
      - nginx-proxy

  db:
    image: mariadb:10
    restart: unless-stopped

    environment:
      - MARIADB_ROOT_PASSWORD
      - MARIADB_PASSWORD
      - MARIADB_DATABASE
      - MARIADB_USER

    volumes:
      - ./data/mysql:/var/lib/mysql

    networks:
      - default

networks:
  default:
  nginx-proxy:
    external: true

[canchanchara]

@daniel-lerch man könnte evtl. die Docker-Compose / Keycloak Installation noch in die Readme irgendwo reinhängen. Könnte mir vorstellen, dass viele Church Tools Admins sonst nichts mit Keycloak zu tun haben und sich über sowas freuen, um das initial schnell aufzusetzen.
Passt das für dich?

[fschrempf]

@daniel-lerch Thanks a lot for the configuration example! It's working now, at least the error is gone and I probably can figure out the rest. There's something different with the bitnami container and I couldn't figure it out.

@canchanchara Eine Beispiel-Config in der README wäre super!