Camunda 8 Keycloak Connection - Unable to connect to Keycloak

wvinothkumar · March 21, 2025, 11:03am

Hi Team,
My Keycloak is running , But identity is giving this error, Can you please suggest what can be the issue ?
Infra: Using Camunda 8.6 deploying in Openshift

2025-03-21 11:02:08.490 INFO 1 — [ main] i.c.i.Application : Started Application in 5.734 seconds (process running for 6.976)

222025-03-21 11:02:08.892 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #1. Unable to connect to Keycloak.

232025-03-21 11:02:38.892 WARN 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying…

242025-03-21 11:02:39.064 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #2. Unable to connect to Keycloak.

Alex_Voloshyn · March 21, 2025, 11:18am

Hi @wvinothkumar
I would check IPs for your workloads. From the official docs:
Users can interact with Keycloak without SSL so long as they stick to private IPv4 addresses such as localhost , 127.0.0.1 , 10.x.x.x , 192.168.x.x , 172.16.x.x or IPv6 link-local and unique-local addresses. If you try to access Keycloak without SSL from a non-private IP address, you will get an error.

And there is a solution unfortunately with manual steps: Troubleshooting Identity | Camunda 8 Docs

Regards,
Alex

wvinothkumar · March 21, 2025, 12:46pm

Hi @Alex_Voloshyn ,
Thanks for the resposne.
Even tried to make the Required SSL None in the keycloak. But still facing the issue

Alex_Voloshyn · March 21, 2025, 12:49pm

Were you able to check IPs? Are they from the external pull for Keycloak?

Even tried to make the Required SSL None in the keycloak
it’s expected to be set to None for two realms - master and camunda-platform

wvinothkumar · March 21, 2025, 3:20pm

2025-03-21 15:16:24.379 INFO 1 — [ main] i.c.i.Application : Started Application in 5.577 seconds (process running for 6.792)

222025-03-21 15:16:24.721 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #1. Unable to connect to Keycloak.

232025-03-21 15:16:54.721 WARN 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying…

242025-03-21 15:16:54.743 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #2. Unable to connect to Keycloak.

252025-03-21 15:17:24.743 WARN 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying…

262025-03-21 15:17:24.911 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #3. Unable to connect to Keycloak.

272025-03-21 15:17:54.911 WARN 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying…

282025-03-21 15:17:55.079 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #4. Unable to connect to Keycloak.

292025-03-21 15:18:25.079 WARN 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying…

302025-03-21 15:18:25.251 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #5. Unable to connect to Keycloak.

312025-03-21 15:18:55.251 WARN 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Retrying…

322025-03-21 15:18:55.422 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : Failure #6. Unable to connect to Keycloak.

332025-03-21 15:18:55.423 ERROR 1 — [ main] i.c.i.i.k.c.KeycloakConfiguration : : Unable to invoke request: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Looks Now Identity unable to pick keycloak certification. Can you please help me.

Alex_Voloshyn · March 21, 2025, 3:29pm

Can you share your values.yaml?

wvinothkumar · March 21, 2025, 3:44pm

Can you please ask me the specific content, I can share those part alone please.

Alex_Voloshyn · March 24, 2025, 7:41am

Based on the error you shared, it seems to be related to the SSL configuration. Any relevant parts might be useful.

Regards,
Alex

Alex_Voloshyn · March 24, 2025, 4:27pm

And one more point from @GotnOGuts that seems valid—it usually means the SSL certificate isn’t signed by a commercial service, so the client system doesn’t know how to build a trust chain.

wvinothkumar · March 26, 2025, 12:01pm

Hi @Alex_Voloshyn
Now Looks connection enabled successfully. But when I try to load the identity, It is giving empty page. Could you please help me where I have the mistake now.

Browser Page Response : HTTP Status 404 – Not Found

Alex_Voloshyn · March 26, 2025, 12:26pm

Hi @wvinothkumar
It’s hard to determine the reason without seeing the deployment values, specifically your values file.

wvinothkumar · March 28, 2025, 4:58pm

identity:
  enabled: true
  fullnameOverride: ""
  nameOverride: ""
  firstUser:
    enabled: true
    username: demo
    password: demo
    email: demo@example.org
    firstName: Demo
    lastName: User
    existingSecret: ""
    existingSecretKey: "identity-firstuser-password"
  image:
    registry: ""
    repository: identity
    tag: 8.6.7
    pullSecrets:
      - name: pullsecret
  sidecars: []
  initContainers: []
  fullURL: "https://fullpath/identity"
  contextPath: "/identity"
  podAnnotations: {}
  podLabels: {}
  service:
    annotations: {}
    type: ClusterIP
    port: 80
    metricsPort: 82
    metricsName: metrics
  podSecurityContext:
    runAsNonRoot: false
    fsGroup: 1001
    seccompProfile:
      type: RuntimeDefault
  containerSecurityContext:
    allowPrivilegeEscalation: false
    privileged: false
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 1001
    seccompProfile:
      type: RuntimeDefault
  startupProbe:
    enabled: false
    scheme: HTTP
    probePath: /actuator/health
    initialDelaySeconds: 30
    periodSeconds: 30
    successThreshold: 1
    failureThreshold: 5
    timeoutSeconds: 1
  readinessProbe:
    enabled: true
    scheme: HTTP
    probePath: /actuator/health
    initialDelaySeconds: 30
    periodSeconds: 30
    successThreshold: 1
    failureThreshold: 5
    timeoutSeconds: 1
  livenessProbe:
    enabled: false
    scheme: HTTP
    probePath: /actuator/health
    initialDelaySeconds: 30
    periodSeconds: 30
    successThreshold: 1
    failureThreshold: 5
    timeoutSeconds: 1
  metrics:
    prometheus: /actuator/prometheus
  nodeSelector: {}
  tolerations: []
  affinity: {}
  resources:
    requests:
      cpu: 600m
      memory: 400Mi
    limits:
      cpu: 2000m
      memory: 2Gi
  env:
  envFrom: []
  command: []
  extraVolumes:
    - name: certificate
      secret:
        secretName: tls-secret-identity
        items:
          - key: tls.crt
            path: tls.crt
        defaultMode: 420
    - name: keystore
      secret:
        secretName: tls-secret-identity
        defaultMode: 420
    - name: keycloak-keystore
      secret:
        secretName: tls-secret-keycloak
        defaultMode: 420
  extraVolumeMounts:
    - name: certificate
      mountPath: /usr/local/identity/config/tls.crt
      subPath: tls.crt
    - name: keystore
      mountPath: /opt/keystore/identity
    - name: keycloak-keystore
      mountPath: /opt/keystore/keycloak
  serviceAccount:
    enabled: false
    name: ""
    annotations: {}
    automountServiceAccountToken: false
  externalDatabase:
    enabled: false
    host:
    port:
    username:
    database:
    password:
    existingSecret:
    existingSecretPasswordKey:
  configuration: ""
  extraConfiguration: {}
  dnsPolicy: ""
  dnsConfig: {}

wvinothkumar · March 28, 2025, 5:00pm

Hi @Alex_Voloshyn - I am getting the latest error as,

akarta.ws.rs.ForbiddenException: HTTP 403 Forbidden

23at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:240) ~[resteasy-client-6.2.7.Final.jar!/:6.2.7.Final]

24at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.DefaultEntityExtractorFactory$3.extractEntity(DefaultEntityExtractorFactory.java:41) ~[resteasy-client-6.2.7.Final.jar!/:6.2.7.Final]

25at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:136) ~[resteasy-client-6.2.7.Final.jar!/:6.2.7.Final]

26at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:103) ~[resteasy-client-6.2.7.Final.jar!/:6.2.7.Final]

27at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:61) ~[resteasy-client-6.2.7.Final.jar!/:6.2.7.Final]

28at jdk.proxy2/jdk.proxy2.$Proxy156.create(Unknown Source) ~[?:?]

29at io.camunda.identity.impl.keycloak.initializer.service.RealmUploadInitializationService.createRealm(RealmUploadInitializationService.java:69) ~[!/:?]

30at io.camunda.identity.impl.keycloak.initializer.service.RealmUploadInitializationService.run(RealmUploadInitializationService.java:49) ~[!/:?]

31at io.camunda.identity.impl.keycloak.initializer.KeycloakEnvironmentInitializer.run(KeycloakEnvironmentInitializer.java:60) ~[!/:?]

32at org.springframework.boot.SpringApplication.lambda$callRunner$4(SpringApplication.java:786) ~[spring-boot-3.3.7.jar!/:3.3.7]

Alex_Voloshyn · March 31, 2025, 8:36am

Do both the master and the camunda-platform realms have ‘Required SSL’ set to ‘None’?

system · June 29, 2025, 8:37am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.