LDAP TLS connection fails even if custom CA certs provided #50779
Description
Describe the bug
Hello,
i'm using quarkus-elytron-security-ldap extension to authenticate against our company LDAP server.
That server presents a certificate signed by our CA.
Chain is the following:
RootCA (cacerts/root.pem)
|___Sub1 (cacerts/sub1.pem)
|___Sub2 (cacerts/sub2.pem)
|___Sub3 (cacerts/sub3.pem)
|___LDAP Server
I set, among the others, this parameter in my application.properties file:
quarkus.tls.trust-store.pem.certs=cacerts/sub1.pem,cacerts/sub2.pem,cacerts/sub3.pem,cacerts/root.pem
Files are under src/main/resources/.
Once I try to login, i get this error (stracktrace cutted):
ERROR [com.vts.hcm.res.ResponseFactory] (executor-thread-1) Error response 'Unauthorized': ErrorResponse [toString()=AbstractResponse [code=AUTHENTICATION_ERROR], getErrorDetails()=null, getExceptionMessages()=[com.vts.hcmt2.errors.AuthenticationException: java.lang.RuntimeException: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context, java.lang.RuntimeException: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context, org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context, javax.naming.CommunicationException: hd00validate.hd00.unicreditgroup.eu:636, javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target], getExceptionStacktrace()=com.vts.hcmt2.errors.AuthenticationException: java.lang.RuntimeException: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context
Caused by: java.lang.RuntimeException: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context
Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context
Caused by: javax.naming.CommunicationException: ldapserver.mycompany.eu:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 105 more
Looks like this property is not honored. How should I tell the LDAP security layer to use the CA certs I provide?
Thanks
Expected behavior
LDAP security layer trust the connection to LDAP server using the CA certs chain I provide.
Actual behavior
LDAP security layer ignore the CA certs chain I provide.
How to Reproduce?
No response
Output of uname -a or ver
Windows Server 2019
Output of java -version
OpenJDK 64-Bit Server VM Temurin-21.0.8+9 (build 21.0.8+9-LTS, mixed mode, sharing)
Quarkus version or git rev
3.29.0
Build tool (ie. output of mvnw --version or gradlew --version)
Gradle 3.14.2
Additional information
No response