Keycloak LDAPS Integration Fails Intermittently with PKIX path building failed
14 views
Skip to first unread message
Pawan Saha
Jun 24, 2025, 1:17:19 AMJun 24
to Kogito development mailing list
Hi Sir,
I'm running **Keycloak (v19.0.3)** inside a Docker container, and I'm integrating it with an **Active Directory (AD)** over **LDAPS** (`port 636`).
Can you help with the following issue:
I'm running **Keycloak (v19.0.3)** inside a Docker container, and I'm integrating it with an **Active Directory (AD)** over **LDAPS** (`port 636`).
I’ve configured Keycloak to use LDAP federation with `ldaps://XXXXX:636` and `bindDn=ps...@XXXX.XXXX`.
The issue I'm facing is **intermittent SSL handshake failure** during user sync or authentication attempts. The Keycloak logs frequently show the following exception:
```
javax.naming.CommunicationException: simple bind failed: XXXX.XXXX.org:636
[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed...]
```
Keycloak LDAP settings (visible in the logs):
* `connectionUrl = ldaps://XXXX:636`
* `useTruststoreSpi = ldapsOnly`
* `bindDn = ps...@XXXX.XXXX`
* `startTls = false`
* `authType = simple`
* `editMode = READ_ONLY`
* `importEnabled = true`
The issue I'm facing is **intermittent SSL handshake failure** during user sync or authentication attempts. The Keycloak logs frequently show the following exception:
```
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
```
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
```
Here’s a snippet of the full exception:
```
javax.naming.CommunicationException: simple bind failed: XXXX.XXXX.org:636
[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed...]
```
**What works:**
* Keycloak is able to import \~87 users from AD during startup.
* The SSL cert was exported from AD and imported into the Keycloak truststore.
* Sometimes the connection works perfectly fine for several minutes.
* Keycloak is able to import \~87 users from AD during startup.
* The SSL cert was exported from AD and imported into the Keycloak truststore.
* Sometimes the connection works perfectly fine for several minutes.
**What fails intermittently:**
* Keycloak suddenly throws `SSLHandshakeException` with `PKIX path building failed`.
* Appears during scheduled LDAP sync or when browsing LDAP users.
* Keycloak suddenly throws `SSLHandshakeException` with `PKIX path building failed`.
* Appears during scheduled LDAP sync or when browsing LDAP users.
**Relevant Docker Setup**
Here’s the relevant part of my `docker-compose.yml`:
```yaml
keycloak:
image: quay.io/keycloak/keycloak:19.0.3
command:
- start-dev
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
JAVA_OPTS_APPEND: >
-Djavax.net.ssl.trustStore=/opt/keycloak/conf/truststore.jks
-Djavax.net.ssl.trustStorePassword=changeit
volumes:
- ./keycloak-certs/cmh-truststore.jks:/opt/keycloak/conf/cmh-truststore.jks
```
We generated the `truststore.jks` using:
```bash
keytool -import -alias cmh_ad_cert \
-file cmh_ad_cert.pem \
-keystore truststore.jks \
-storepass changeit \
-noprompt
```
Here’s the relevant part of my `docker-compose.yml`:
```yaml
keycloak:
image: quay.io/keycloak/keycloak:19.0.3
command:
- start-dev
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
JAVA_OPTS_APPEND: >
-Djavax.net.ssl.trustStore=/opt/keycloak/conf/truststore.jks
-Djavax.net.ssl.trustStorePassword=changeit
volumes:
- ./keycloak-certs/cmh-truststore.jks:/opt/keycloak/conf/cmh-truststore.jks
```
We generated the `truststore.jks` using:
```bash
keytool -import -alias cmh_ad_cert \
-file cmh_ad_cert.pem \
-keystore truststore.jks \
-storepass changeit \
-noprompt
```
**LDAP Federation Settings**
Keycloak LDAP settings (visible in the logs):
* `connectionUrl = ldaps://XXXX:636`
* `useTruststoreSpi = ldapsOnly`
* `bindDn = ps...@XXXX.XXXX`
* `startTls = false`
* `authType = simple`
* `editMode = READ_ONLY`
* `importEnabled = true`
Thanks in advance!
Reply all
Reply to author
Forward
0 new messages