0

Keycloak -> Realm Settings -> Email -> Test connection I'm trying to do this. Page show error "Error! Failed to send email". Tomcat logs shows error "Could not convert socket to TLS". How can I solve this problem?

siemasiema123.96
  • 11
  • 1
  • Does this answer your question? [Javamail Could not convert socket to TLS GMail](https://stackoverflow.com/questions/16115453/javamail-could-not-convert-socket-to-tls-gmail) – Jan Garaj Oct 14 '21 at 07:34
  • I can't change props in Java, because sending emails is implemented in Keycloak. Disabled Antivirus not fixed the error :( – siemasiema123.96 Oct 14 '21 at 08:32

1 Answers1

0

I know a lot of time has passed since this question was asked, but the problem in our case was that no trust store was specified in Keycloak with the certificate of the mail server. In order to do that you can import the certificate in a keystore and follow the official documentation which suggests:

bin/kc.[sh|bat] start --spi-truststore-file-file=path/to/truststore.jks --spi-truststore-file-password=change_me --spi-truststore-file-hostname-verification-policy=WILDCARD

In our case we used Kubernetes and had the certificates in a secret, lets call it secret-with-certs. The configuration looked something like this:

spec:
  containers:
    - env
      # this variable is specific to bitnami image, for jboss it will probably be different name
      - name: KEYCLOAK_EXTRA_ARGS
        value: >-
          --spi-truststore-file-file=/opt/bitnami/keycloak/certs/truststore/truststore.jks
          --spi-truststore-file-password=changeit
    image: bitnami/keycloak:19.0.3
    volumeMounts:
        # this location is specific to the bitnami image for keycloak, for the jboss image it should be a different path
      - mountPath: /opt/bitnami/keycloak/certs/truststore
        name: truststore-jks

    ...

  initContainers:    
    name: prepare-tls-certs
    image: azul/zulu-openjdk:17
    - args:
        - >
          keytool -keystore /tmp/certs/truststore.jks -storetype JKS -importcert
          -file /certs/truststore/mail.crt -storepass changeit -alias mail-cert
          -noprompt;
      command:
        - /bin/sh
        - '-c'
    volumeMounts:
        - mountPath: /certs/truststore
          name: truststore-certs
        - mountPath: /tmp/certs
          name: truststore-jks
  volumes:
    - name: truststore-certs
      secret:
        secretName: secret-with-certs
    - emptyDir: {}
      name: truststore-jks
vl4d1m1r4
  • 1,688
  • 12
  • 21