Univention Bugzilla – Bug 55488
Use start TLS as default for LDAP federation in Keycloak
Last modified: 2022-12-14 15:04:49 CET
Make start TLS as default for LDAP federation in Keycloak.
The package configures/uses TLS, but the container is missing the certificate -> we currently get "Could not negotiate TLS: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" "Uncaught server error: org.keycloak.models.ModelException: LDAP Query failed" This should be fixed asap because it hinders development in the RAM project!
Probably more a problem in our test environment, we use the unreleased version of univention-keycloak (errata-test) but the released version of the keycloak App. Should we go with the keycloak app from the test appcenter?
Created attachment 11017 [details] KC changes
I have just tested on tross: nradovanovic_kcm, reverted to clean state. content of /etc/apt/sources.list: deb [trusted=yes] http://192.168.0.10/build2/ ucs_5.0-0-errata5.0-2/all/ deb [trusted=yes] http://192.168.0.10/build2/ ucs_5.0-0-errata5.0-2/$(ARCH)/ deb-src [trusted=yes] http://192.168.0.10/build2/ ucs_5.0-0-errata5.0-2/source/ # run upgrade univention-upgrade # install and activate dev appcenter apt install univention-appcenter-dev univention-app dev-use-test-appcenter # install keycloak univention-app install keycloak=19.0.1-ucs5 # check CA from console univention-app shell keycloak -- ls -all /etc/pki/ca-trust/extracted/pem/ucsCAcert.pem univention-app shell keycloak -- keytool -cacerts -list -storepass "changeit" -noprompt | grep ucsca # visited KC web admin interface and tried "Test connection" button So, I used 19.0.1-ucs5 (keycloak_20221128113924) since 19.0.1-ucs5-recaptcha (keycloak_20221207021304) does not have CA related changes merged - yet. I dont know if this will help, but I attached KC related patch which is already pushed (maybe Docker image shall be rebuilt - in which case I cant help: don't have permissions)
Thanks, we just disabled the "update to errata-test" in our test setup (no tls, but we can live witch that for now) and wait until both, the package and the app are released.
59729680f5 | Use start TLS as default for LDAP federation in Keycloak 13649f8aa3 | debian/changelog bbe77bb161 | Advisory update Verified: * Functional test: Ok New installations with "univention-app install keycloak=19.0.1-ucs5" and the new debian package version in ucs_5.0-0-errata5.0-2 work and are configured to use startTLS (against port 7389). * LDAP connection test in Keycloak works, so the certificate check in the Java code of the container also works. * Advisory: Ok
<https://errata.software-univention.de/#/?erratum=5.0x511>