Problems with database connection

alansatis · February 14, 2025, 6:21pm

Hello everyone, I would like some help.

I’m trying to configure Keycloak version 26.1.0 to connect to a database in Azure. Postgres Flex. However, I’m having some errors in the certificate chain. I’ve already made all the adjustments and mapping, but it seems that it’s still not recognized. See the logs:

keycloak-server | 2025-02-14 17:41:47,146 WARN [io.agroal.pool] (agroal-11) Datasource ‘’: SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
keycloak-server | 2025-02-14 17:41:47,147 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (JPA Startup Thread) SQL Error: 0, SQLState: 08006
keycloak-server | 2025-02-14 17:41:47,148 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (JPA Startup Thread) SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
keycloak-server | 2025-02-14 17:41:47,149 WARN [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread) HHH000342: Could not obtain connection to query metadata: org.hibernate.exception.JDBCConnectionException: unable to obtain isolated JDBC connection [SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] [n/a]
keycloak-server | at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:100)
keycloak-server | at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:58)
keycloak-server | at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:108)
keycloak-server | at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:94)
keycloak-server | at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doTheWork(JtaIsolationDelegate.java:202)
keycloak-server | at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.lambda$delegateWork$3(JtaIsolationDelegate.java:91)
keycloak-server | at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doInSuspendedTransaction(JtaIsolationDelegate.java:123)
keycloak-server | at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.delegateWork(JtaIsolationDelegate.java:88)
keycloak-server | at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.getJdbcEnvironmentUsingJdbcMetadata(JdbcEnvironmentInitiator.java:320)
keycloak-server | at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:129)
keycloak-server | at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:81)
keycloak-server | at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:130)
keycloak-server | at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263)
keycloak-server | at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:238)
keycloak-server | at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
keycloak-server | at org.hibernate.service.ServiceRegistry.requireService(ServiceRegistry.java:68)
keycloak-server | at org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcServicesImpl.java:52)
keycloak-server | at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.configureService(StandardServiceRegistryImpl.java:136)
keycloak-server | at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:247)
keycloak-server | at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
keycloak-server | at org.hibernate.service.ServiceRegistry.requireService(ServiceRegistry.java:68)
keycloak-server | at org.hibernate.boot.internal.SessionFactoryOptionsBuilder.(SessionFactoryOptionsBuilder.java:290)
keycloak-server | at io.quarkus.hibernate.orm.runtime.recording.PrevalidatedQuarkusMetadata.buildSessionFactoryOptionsBuilder(PrevalidatedQuarkusMetadata.java:72)
keycloak-server | at io.quarkus.hibernate.orm.runtime.boot.FastBootEntityManagerFactoryBuilder.build(FastBootEntityManagerFactoryBuilder.java:84)
keycloak-server | at io.quarkus.hibernate.orm.runtime.FastBootHibernatePersistenceProvider.createEntityManagerFactory(FastBootHibernatePersistenceProvider.java:73)
keycloak-server | at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:80)
keycloak-server | at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:55)
keycloak-server | at io.quarkus.hibernate.orm.runtime.JPAConfig$LazyPersistenceUnit.get(JPAConfig.java:154)
keycloak-server | at io.quarkus.hibernate.orm.runtime.JPAConfig$1.run(JPAConfig.java:61)
keycloak-server | at java.base/java.lang.Thread.run(Thread.java:1583)
keycloak-server | Caused by: org.postgresql.util.PSQLException: SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

docker-compose:
keycloak-server:
image: Quay
container_name: keycloak-server
command:
- start
- --hostname-debug=true
- --truststore-paths=/opt/keycloak/certs/DigiCertGlobalRootCA.crt,/opt/keycloak/certs/DigiCertGlobalRootG2.crt.pem,/opt/keycloak/certs/MicrosoftRsaRootCertificateAuthority2017.crt
environment:
KC_BOOTSTRAP_ADMIN_USERNAME: admin
KC_BOOTSTRAP_ADMIN_PASSWORD: “pass”
KC_DB: postgres
KC_DB_URL: “jdbc:postgresql://dev-bd-psql-flex-keycloak.postgres.database.azure.com:5432/keycloak?sslmode=verify-full&sslrootcert=/opt/keycloak/certs/DigiCertGlobalRootCA.crt”
KC_DB_SCHEMA: public
KC_LOG_LEVEL: INFO
DB_DATABASE: keycloak
KC_DB_USERNAME: manager
KC_DB_PASSWORD: “pass”
KC_PROXY_HEADERS: xforwarded
KC_HOSTNAME: HOST
KC_HTTP_ENABLED: “true”
KC_HOSTNAME_STRICT: true
KC_CACHE: ispn
KC_CACHE_STACK: jdbc-ping
KC_JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING
JAVA_OPTS_APPEND: -Djgroups.external_addr=${MY_IP_ADDRESS}
ports:
- “8080:8080” # Port HTTP
- “7800:7800”
- “57800:57800”
volumes:
- ./certs:/opt/keycloak/certs:ro
networks:
- app-network

I’m using keycloak production mode. And I also downloaded all the certificates from azure, which were found here: Networking overview using SSL and TLS - Azure Database for PostgreSQL - Flexible Server

Has anyone else had this error? Do you have any suggestions? Thank you very much in advance.

skydrinker-tox · February 28, 2025, 4:21am

Hello, I’ve seen the SSL error: PKIX path building failed in different cases, but i’ve seen it the most when working behind a corporate proxy. This corporate proxy was adding an intermediary certificate in the chain (acting as a man in the middle). I had to get this intermediate certificate from the team managing the proxy, and add this certificate to the truststore in order to make outgoing SSL requests work.

I hope this can lead you somewhere.

Topic		Replies	Views
KeyCloak Microsoft SQL server connection error "KIX path building failed Exception" Configuring the server database	3	4902	September 27, 2022
Trying to connect keycloak 20.0.1 to Azure pgsql server Configuring the server	0	638	November 25, 2022
Trouble with Keycloak 20.0.1 as a Azure webapp and pgsql backend Configuring the server	4	1547	November 30, 2022
Keycloak not able to connect to Aurora DB in production mode Configuring the server database	3	1505	May 2, 2022
Keycloak 20.0.1 Azure webapp and pgsql Configuring the server	0	681	December 13, 2022

Problems with database connection

Related topics