英文:
unable to find valid certification path to requested target with Quarkus
问题
以下是您要翻译的内容:
我已经使用基于Quarkus的Keycloak保护了我的Web应用程序。当我启动应用程序时:
./mvnw clean compile quarkus:dev
它显示给我:
io.quarkus.oidc.OIDCException:OIDC服务器在 'quarkus.oidc.auth-server-url' URL 不可用。请确保它正确无误。请注意,如果您使用Keycloak,它必须以域值结尾,例如:'https://localhost:8180/auth/realms/quarkus'。
Caused by: javax.net.ssl.SSLHandshakeException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径。
Keycloak服务器正在使用证书 https://acme-staging-v02.api.letsencrypt.org/directory(不是有效的证书)进行设置,因为这是一个开发环境。
Quarkus上的Keycloak配置:
quarkus.oidc.auth-server-url=https://dev.oic.databaker.io/auth/realms/databaker
quarkus.oidc.client-id=svc
quarkus.oidc.credentials.secret=!!!secret!!!
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.1.path=/
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.ssl.native=false
如何绕过这个错误?
英文:
I have secured my web app with Keycloak that is based on Quarkus. When I start the app:
./mvnw clean compile quarkus:dev
it shows me:
io.quarkus.oidc.OIDCException: OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The Keycloak server is setting up with certificate https://acme-staging-v02.api.letsencrypt.org/directory(not a valid certificate), because it is a DEV environment.
The Keycloak configuration on Quarkus:
quarkus.oidc.auth-server-url=https://dev.oic.databaker.io/auth/realms/databaker
quarkus.oidc.client-id=svc
quarkus.oidc.credentials.secret=!!!secret!!!
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.1.path=/
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.ssl.native=false
How to bypass the error?
答案1
得分: 1
acme-staging Let's Encrypt 证书是用于测试目的的,不受系统附带的 CA 信任。
您需要将 Fake LE Root X1 根证书添加到受信任的 CA 证书列表中。
在 Let's Encrypt Acme 文档 中有详细说明:
> 演示环境中间证书(“Fake LE Intermediate X1”)是由根证书签发的,该根证书不在浏览器/客户端信任存储中。如果您希望修改仅用于测试目的的测试客户端,以便信任演示环境,您可以通过将“Fake LE Root X1” 证书添加到您的测试信任存储中来实现。
> 重要:不要将演示根证书或中间证书添加到您用于普通浏览或其他活动的信任存储中,因为它们未经审核,不受与我们的生产根证书相同的标准约束,因此除了测试之外的任何其他用途都不安全。
英文:
The acme-staging Let's Encrypt certificates are for testing purposes and are not trusted by the CAs included with your system.
You need to add the Fake LE Root X1 root certificate to the list of trusted CA certificates.
This is detailed in the Let's Encrypt Acme docs:
> The staging environment intermediate certificate (“Fake LE
> Intermediate X1”) is issued by a root certificate not present in
> browser/client trust stores. If you wish to modify a test-only client
> to trust the staging environment for testing purposes you can do so by
> adding the “Fake LE Root X1” certificate to your testing trust store.
> Important: Do not add the staging root or intermediate to a trust
> store that you use for ordinary browsing or other activities, since
> they are not audited or held to the same standards as our production
> roots, and so are not safe to use for anything other than testing.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论