无法使用 Quarkus 找到请求目标的有效认证路径
unable to find valid certification path to requested target with Quarkus
我已经使用基于 Quarkus 的 Keycloak 保护我的网络应用程序。当我启动应用程序时:
./mvnw clean compile quarkus:dev
它告诉我:
io.quarkus.oidc.OIDCException: OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Keycloak 服务器正在使用证书 https://acme-staging-v02.api.letsencrypt.org/directory(不是有效证书)进行设置,因为它是 DEV 环境。
Quarkus 上的 Keycloak 配置:
quarkus.oidc.auth-server-url=https://dev.oic.databaker.io/auth/realms/databaker
quarkus.oidc.client-id=svc
quarkus.oidc.credentials.secret=!!!secret!!!
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.1.path=/
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.ssl.native=false
如何绕过错误?
acme-staging Let's Encrypt 证书用于测试目的,不受系统中包含的 CA 的信任。
您需要将 Fake LE Root X1 根证书添加到受信任的 CA 证书列表中。
这在Let's Encrypt Acme docs中有详细说明:
The staging environment intermediate certificate (“Fake LE
Intermediate X1”) is issued by a root certificate not present in
browser/client trust stores. If you wish to modify a test-only client
to trust the staging environment for testing purposes you can do so by
adding the “Fake LE Root X1” certificate to your testing trust store.
Important: Do not add the staging root or intermediate to a trust
store that you use for ordinary browsing or other activities, since
they are not audited or held to the same standards as our production
roots, and so are not safe to use for anything other than testing.
我已经使用基于 Quarkus 的 Keycloak 保护我的网络应用程序。当我启动应用程序时:
./mvnw clean compile quarkus:dev
它告诉我:
io.quarkus.oidc.OIDCException: OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Keycloak 服务器正在使用证书 https://acme-staging-v02.api.letsencrypt.org/directory(不是有效证书)进行设置,因为它是 DEV 环境。
Quarkus 上的 Keycloak 配置:
quarkus.oidc.auth-server-url=https://dev.oic.databaker.io/auth/realms/databaker
quarkus.oidc.client-id=svc
quarkus.oidc.credentials.secret=!!!secret!!!
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.1.path=/
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.ssl.native=false
如何绕过错误?
acme-staging Let's Encrypt 证书用于测试目的,不受系统中包含的 CA 的信任。
您需要将 Fake LE Root X1 根证书添加到受信任的 CA 证书列表中。
这在Let's Encrypt Acme docs中有详细说明:
The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.