I am running keycloak with docker-compose as described here: official docker compose example
The instance is running behind an apache2 as reverse proxy, doing the SSL termination which works just fine.
I want to add ldap as a user storage provider. The ldap server is reachable ("Test Connection" indicates success) but I am not able to connect since keycloak needs to trust my self-signed certificate which is required for ldaps connection. The error is:
Error when authenticating to LDAP: Could not negotiate TLS
How can I make keycloak trust the CA certificate of my Active Directory (ldap) Server within the context of docker-compose?
It all boiled down to getting the CA cert in the Docker build and then importing it to the java keystore:
# JDK8 installation just for reference. You might want to update soon, since it is EOL soon
RUN apt update && apt install -y openjdk-8-jdk
# COPY your root CA cert from the docker build directory to the container
COPY ca.mydomain.com.crt /usr/local/share/ca-certificates/mydomain.com/ca.mydomain.com.crt
# import the root CA cert from the file location within your container to the java cacerts
RUN keytool -storepass changeit -noprompt -trustcacerts -import -alias mydomain.com -keystore /etc/ssl/certs/java/cacerts -file /usr/local/share/ca-certificates/mydomain.com/ca.mydomain.com.crt
From this point onward, keycloak (which is referencing the java cacerts) will recognize your root CA as valid authority