无法找到与 Quarkus 请求的目标的有效认证路径

huangapple go评论79阅读模式
英文:

unable to find valid certification path to requested target with Quarkus

问题

以下是您要翻译的内容:

我已经使用基于Quarkus的Keycloak保护了我的Web应用程序。当我启动应用程序时:

./mvnw clean compile quarkus:dev

它显示给我:

io.quarkus.oidc.OIDCException:OIDC服务器在 'quarkus.oidc.auth-server-url' URL 不可用。请确保它正确无误。请注意,如果您使用Keycloak,它必须以域值结尾,例如:'https://localhost:8180/auth/realms/quarkus'。

Caused by: javax.net.ssl.SSLHandshakeException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径。

Keycloak服务器正在使用证书 https://acme-staging-v02.api.letsencrypt.org/directory(不是有效的证书)进行设置,因为这是一个开发环境。

Quarkus上的Keycloak配置:

quarkus.oidc.auth-server-url=https://dev.oic.databaker.io/auth/realms/databaker
quarkus.oidc.client-id=svc
quarkus.oidc.credentials.secret=!!!secret!!!
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.1.path=/
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.ssl.native=false

如何绕过这个错误?

英文:

I have secured my web app with Keycloak that is based on Quarkus. When I start the app:

./mvnw clean compile quarkus:dev

it shows me:

io.quarkus.oidc.OIDCException: OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The Keycloak server is setting up with certificate https://acme-staging-v02.api.letsencrypt.org/directory(not a valid certificate), because it is a DEV environment.

The Keycloak configuration on Quarkus:

quarkus.oidc.auth-server-url=https://dev.oic.databaker.io/auth/realms/databaker
quarkus.oidc.client-id=svc
quarkus.oidc.credentials.secret=!!!secret!!!
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.1.path=/
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.ssl.native=false

How to bypass the error?

答案1

得分: 1

acme-staging Let's Encrypt 证书是用于测试目的的,不受系统附带的 CA 信任。

您需要将 Fake LE Root X1 根证书添加到受信任的 CA 证书列表中。

Let's Encrypt Acme 文档 中有详细说明:

> 演示环境中间证书(“Fake LE Intermediate X1”)是由根证书签发的,该根证书不在浏览器/客户端信任存储中。如果您希望修改仅用于测试目的的测试客户端,以便信任演示环境,您可以通过将“Fake LE Root X1” 证书添加到您的测试信任存储中来实现。
> 重要:不要将演示根证书或中间证书添加到您用于普通浏览或其他活动的信任存储中,因为它们未经审核,不受与我们的生产根证书相同的标准约束,因此除了测试之外的任何其他用途都不安全。

英文:

The acme-staging Let's Encrypt certificates are for testing purposes and are not trusted by the CAs included with your system.

You need to add the Fake LE Root X1 root certificate to the list of trusted CA certificates.

This is detailed in the Let's Encrypt Acme docs:

> The staging environment intermediate certificate (“Fake LE
> Intermediate X1”) is issued by a root certificate not present in
> browser/client trust stores. If you wish to modify a test-only client
> to trust the staging environment for testing purposes you can do so by
> adding the “Fake LE Root X1” certificate to your testing trust store.
> Important: Do not add the staging root or intermediate to a trust
> store that you use for ordinary browsing or other activities, since
> they are not audited or held to the same standards as our production
> roots, and so are not safe to use for anything other than testing.

huangapple
  • 本文由 发表于 2020年9月14日 15:00:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/63879484.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定