目前我正在使用 Angular 前端和 Java 后端构建一个 Web 应用程序。目前,我正在 Baeldung 教程(https://www.baeldung.com/keycloak-embedded-in-spring-boot-app)的帮助下将 keycloak 实现为嵌入式 Spring Boot 应用程序。我的java后端是资源服务器。我的所有请求都已使用 keycloak 和 oauth openid 成功进行了身份验证,直到我的本地主机证书过期。
我已经使用 keytool 生成了一个新的自签名证书,设置如下: `
“C:\ Program Files \ Git \ usr in \ openssl.exe” req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout localhost.key -days 3560 -out localhost.crt -config sslconf.conf `
以及以下配置:
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
[dn]
C = NL
ST = Netherlands
L = Netherlands
O = DMT
OU = My Organisational Unit
emailAddress = [email protected]
CN = localhost
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
此证书用于以下场所:
我已通过以下语句导入了新的证书和密钥库:
"C:\Program Files\Git\usr\bin\openssl.exe" pkcs12 -export -in C:\DMT\sources\code\multi\localhost.crt -inkey C:\DMT\sources\code\multi\localhost.key -name localhost_dmt -out dmt-keystore.p12此密钥库由 keycloak 嵌入式 Java 服务器和后端 Java 服务器本身的 Java 属性文件引用。
重新启动一切后,浏览器已接受新证书,并且后端和 keycloak 都使用 SLL 和有效且相同的证书运行。
一切看起来都很好,但是当我向资源服务器执行请求时,请求在使用 openid 配置进行身份验证期间失败: `
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://localhost:8083/auth/realms/dmt/.well-known/openid-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785) ~[spring-web-5.3.8.jar:5.3.8]
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:670) ~[spring-web-5.3.8.jar:5.3.8]
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:132) ~[spring-security-oauth2-jose-5.5.1.jar:5.5.1]
... 66 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:369) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[na:na]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478) ~[na:na]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:456) ~[na:na]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199) ~[na:na]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1369) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1278) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) ~[na:na]
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) ~[na:na]
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197) ~[na:na]
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168) ~[na:na]
at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:76) ~[spring-web-5.3.8.jar:5.3.8]
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) ~[spring-web-5.3.8.jar:5.3.8]
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:66) ~[spring-web-5.3.8.jar:5.3.8]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:776) ~[spring-web-5.3.8.jar:5.3.8]
... 68 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ~[na:na]
... 86 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
... 92 common frames omitted
` 我不明白为什么 keycloak 不再进行身份验证。与之前一样,更换旧证书一切正常。肯定是 keycloak 需要以某种方式知道新证书,但我无法找到将它放在哪里。试图在文档中找到它,但不幸的是没有成功。它也有点复杂,因为我在 java spring boot 中使用嵌入式 keycloak。我认为 java 属性文件中提供的自定义密钥库就足够了。
嵌入 keycloak 的属性文件:
server:
port: 8083
ssl:
key-store: "C:\\DMT\\sources\\code\\multi\\dmt-keystore.p12"
key-store-password: passwordkeystore
key-store-type: pkcs12
key-alias: localhost_dmt
key-password: password
enabled: true
我认为您忘记将其作为受信任的证书导入您的 JRE
cacerts你可以看看我在这个仓库中做了什么。如果您浏览脚本源,您将在第 178 行左右看到如何在 cacerts 中导入新证书。您还可以使用
git bash同样的问题,你能告诉我如何解决这个问题吗?完全需要 keytool 导入命令。此外,我们的 keycloak 是带有 www.keycloak.com 的 https,springboot 应用程序是带有 www.sb.com 的 https,springboot 调用 keycloak 并失败,并且 server.p12 证书只有 cn 名为 www。 sb.com.Do 我需要导入一个名为 www.keycloak.com?
的 cert cn