Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
74 views
Skip to first unread message
Tom Healey
Feb 19, 2020, 1:20:53 PM2/19/20
to CAS Community
LDAPS issue
Hi all!
I get the following error when trying to communicate to MS AD server over LDAPS.
(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
here is my relevant LDAP config in cas.properties
cas.authn.ldap[0].name=Active Directory
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].baseDn="set to sane value"
cas.authn.ldap[0].searchFilter="set to sane value"
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].baseDn="set to sane value"
cas.authn.ldap[0].searchFilter="set to sane value"
cas.authn.ldap[0].bindDn="set to sane value"
cas.authn.ldap[0].bindCredential="set to sane value"
cas.authn.ldap[0].dnFormat="set to sane value"
cas.authn.ldap[0].connectTimeout=1000
cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,givenName,mail,sn
cas.authn.ldap[0].followReferrals=false
cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,givenName,mail,sn
cas.authn.ldap[0].followReferrals=false
cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
cas.authn.ldap[0].keystorePassword=keystorepassword
cas.authn.ldap[0].keystorePassword=keystorepassword
I used the suggestions on the pages belowto see what certs a server may have and found out what certs the server had :
and
I used this command to find out what certs I needed to add to the keystore.
openssl s_client -showcerts -connect XX.XX.XX.XX:636
NOTE:
I do not want to add the certs to the cacerts file in host machine as I am performing a docker build and I want to make all things the app needs to be loaded in the container.
openssl s_client -showcerts command showed 2 certs and I imported them both using command line like below
#CAR -- root cert from AD server
keytool -alias myalias -trustcacerts -importcert -keystore etc/cas/theKeystore -storepass XXXX -file etc/cas/myalias.cer
#CAS2 -- server cert from AD server
keytool -importcert -keystore etc/cas/theKeystore -storepass XXXX -file etc/cas/myalias2.cer -alias myalias2 -trustcacerts
I also used the sslpoke class from the 2nd URL to test the connection. It failed.
I think I have performed the task needed and I still get the error.
Thanks,
Tom
Daniel Fisher
Feb 19, 2020, 4:58:24 PM2/19/20
to cas-...@apereo.org
LDAPS issueHi all!I get the following error when trying to communicate to MS AD server over LDAPS.(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)here is my relevant LDAP config in cas.propertiescas.authn.ldap[0].name=Active Directory
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].baseDn="set to sane value"
cas.authn.ldap[0].searchFilter="set to sane value"cas.authn.ldap[0].bindDn="set to sane value"cas.authn.ldap[0].bindCredential="set to sane value"cas.authn.ldap[0].dnFormat="set to sane value"cas.authn.ldap[0].connectTimeout=1000
cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,givenName,mail,sn
cas.authn.ldap[0].followReferrals=falsecas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
cas.authn.ldap[0].keystorePassword=keystorepassword
Try adding new properties:
cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
cas.authn.ldap[0].trustStorePassword=truststorepassword
Then import your CA into that truststore file. I'm not certain about the camel casing of those properties, but it should be something close to that.
--Daniel Fisher
Tom Healey
Feb 19, 2020, 7:40:54 PM2/19/20
to CAS Community
Daniel,
Thank you for your response. Is there a difference between the keystore
cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
cas.authn.ldap[0].keystorePassword=keystorepassword
cas.authn.ldap[0].keystorePassword=keystorepassword
and the trust store parameters?
cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
cas.authn.ldap[0].trustStorePassword=truststorepasswordIn any event
I did this:
keytool -alias myalias -importcert -keystore theLdapKeystore - -storetype PKCS12 -file myalias.cer # root
keytool -alias myalias2 -importcert -keystore theLdapKeystore - -storetype PKCS12 -file myalias.cer # server
and still have the problem of
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Thanks all.
Tom
I did add the certs to the keystore(/etc/cas/thekeystore), which is the same one that tomcat uses for SSL server keys.
Thanks.
Daniel Fisher
Feb 19, 2020, 8:32:06 PM2/19/20
to cas-...@apereo.org
On Wed, Feb 19, 2020 at 7:41 PM Tom Healey <thomas...@gmail.com> wrote:
Daniel,Thank you for your response. Is there a difference between the keystorecas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
cas.authn.ldap[0].keystorePassword=keystorepassword
and the trust store parameters?
The keystore is used for authentication material, the truststore is used for trust material. Putting trust material in the keystore file will not fix this issue. Also note that the default type is JKS, if you're using PKCS12 you'll need to set the trustStoreType property.
--Daniel Fisher
Jason Everling
Feb 19, 2020, 8:34:09 PM2/19/20
to CAS Community
Grab your LDAPS certificates, create a new JKS keystore type and add your certificates to it. The default java password is changeit so we will just use that as well. The AD ldap settings would be,
cas.authn.ldap[0].keystore=file:/etc/cas/your_keystore_name
cas.authn.ldap[0].keystorePassword=changeit
Robert Bond
Feb 20, 2020, 9:34:00 AM2/20/20
to cas-...@apereo.org
You can also just pass it just the (CA or client) cert file. Like so:
cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60ee9d3-6154-4adc-ba38-f2cfd52643af%40apereo.org.
Jason Everling
Feb 20, 2020, 9:06:03 PM2/20/20
to cas-...@apereo.org
Does that work if you specify the root or only the end entity certificate?
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6ru4wYRvpPLtL_KWw1MxNvnmTPeR_9rOnzjoKq5zzseLQ%40mail.gmail.com.
Robert Bond
Feb 21, 2020, 9:26:24 AM2/21/20
to cas-...@apereo.org
iirc it can be the root ca or the client public cert.
Are you using a public ca, and if so which one?
To be safe you could just put the fullchain.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALdoKi%2BqronSah%2BdRF8b9ris9mEbW-7dOBKNaoyuOC9bpWFDdg%40mail.gmail.com.
Robert Bond
Feb 21, 2020, 9:37:30 AM2/21/20
to cas-...@apereo.org
I just finished writing an article detailing setting up LDAPS on Active Directory:
For cas I just specified the CA cert I created using the config line below:
cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
Jason Everling
Feb 21, 2020, 12:48:34 PM2/21/20
to cas-...@apereo.org
I was just curious about using the root cert instead, we have a JKS file with our internal roots. We have a 3 tier internal pki so we dont use endpoint certs in any trust settings because machine certs are only valid for 12 months
From: 'Robert Bond' via CAS Community <cas-...@apereo.org>
Sent: Friday, February 21, 2020 8:36:59 AM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
Sent: Friday, February 21, 2020 8:36:59 AM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6qk24M8XD5C8xs6OXVUP-oSGyEgR%2BAGDyg%2BHKhwMbrV2g%40mail.gmail.com.
From: 'Robert Bond' via CAS Community <cas-...@apereo.org>
Sent: Friday, February 21, 2020 8:36:59 AM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
Sent: Friday, February 21, 2020 8:36:59 AM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6qk24M8XD5C8xs6OXVUP-oSGyEgR%2BAGDyg%2BHKhwMbrV2g%40mail.gmail.com.
Robert Bond
Mar 2, 2020, 5:42:46 PM3/2/20
to cas-...@apereo.org
CA Trust chain without the client cert should work.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB5277135E9407DCCDF262A9A9FF120%40SN6PR05MB5277.namprd05.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages