Deployment v3 - Error downloading Public key from server

Hello,

I’m trying to deploy MOSIP 1.2.0.1 following the v3 deployment guide (without DNS).

When signing in the admin console, I’m redirected to keycloak, then I enter my credentials, and I get:

{"id":null,"version":null,"responsetime":"2025-06-03T16:27:19.097Z","metadata":null,"response":null,"errors":[{"errorCode":"KER-MSD-500","message":"KER-ACP-006 --> Error Occured while getting access token from iam Code not valid; \nnested exception is org.springframework.web.client.HttpClientErrorException: 400 Bad Request"}]}

in the admin-service pog logs I have:

{"@timestamp":"2025-06-03T15:48:38.130Z","@version":"1","message":"\n\n Exception : Authorization token not present > http://api-internal.msp.xxx.yy/v1/admin/masterdata/configs\n\n","logger_name":"io.mosip.kernel.auth.defaultadapter.filter.AuthFilter","thread_name":"http-nio-8098-exec-3","level":"ERROR","level_value":40000,"appName":"admin-service","traceId":"63998fbc28dde3cba699fc8e960c15cd","spanId":"8c4516898b31c907","spanExportable":"false","X-Span-Export":"false","X-B3-SpanId":"8c4516898b31c907","X-B3-ParentSpanId":"a699fc8e960c15cd","X-B3-TraceId":"63998fbc28dde3cba699fc8e960c15cd","parentId":"a699fc8e960c15cd"}

{"@timestamp":"2025-06-03T15:48:38.130Z","@version":"1","message":"\n\n Exception : Authorization token not present > http://api-internal.msp.xxx.yy/v1/admin/authorize/admin/validateToken\n\n","logger_name":"io.mosip.kernel.auth.defaultadapter.filter.AuthFilter","thread_name":"http-nio-8098-exec-4","level":"ERROR","level_value":40000,"appName":"admin-service","traceId":"8d9ceb829e56616646370aabe91c7d3f","spanId":"4a5d3a1bb95aa2c1","spanExportable":"false","X-Span-Export":"false","X-B3-SpanId":"4a5d3a1bb95aa2c1","X-B3-ParentSpanId":"46370aabe91c7d3f","X-B3-TraceId":"8d9ceb829e56616646370aabe91c7d3f","parentId":"46370aabe91c7d3f"}

then

{"@timestamp":"2025-06-03T15:48:42.536Z","@version":"1","message":"offline verification for environment profile. UserName: globaladmin","logger_name":"io.mosip.kernel.authcodeflowproxy.api.validator.ValidateTokenUtil","thread_name":"http-nio-8098-exec-7","level":"INFO","level_value":20000,"appName":"admin-service","traceId":"2c3eac967dad8e1ccf42c4aaad1d2afb","spanId":"7bbd5feadacfcc27","spanExportable":"false","X-Span-Export":"false","X-B3-SpanId":"7bbd5feadacfcc27","X-B3-ParentSpanId":"cf42c4aaad1d2afb","X-B3-TraceId":"2c3eac967dad8e1ccf42c4aaad1d2afb","parentId":"cf42c4aaad1d2afb"}

{"@timestamp":"2025-06-03T15:48:43.327Z","@version":"1","message":"Error downloading Public key from serverCannot obtain jwks from url https://iam.msp.xxx.yy/auth/realms/mosip/protocol/openid-connect/certs","logger_name":"io.mosip.kernel.authcodeflowproxy.api.validator.ValidateTokenUtil","thread_name":"http-nio-8098-exec-7","level":"ERROR","level_value":40000,"appName":"admin-service","traceId":"2c3eac967dad8e1ccf42c4aaad1d2afb","spanId":"7bbd5feadacfcc27","spanExportable":"false","X-Span-Export":"false","X-B3-SpanId":"7bbd5feadacfcc27","X-B3-ParentSpanId":"cf42c4aaad1d2afb","X-B3-TraceId":"2c3eac967dad8e1ccf42c4aaad1d2afb","parentId":"cf42c4aaad1d2afb"}

The URL doesn’t work from the pod with TLS validation:

% k -n admin exec -it pod/admin-service-d7578b5f9-zdkkx -- bash

mosip@admin-service-d7578b5f9-zdkkx:~$ curl https://iam.msp.xxx.yy/auth/realms/mosip/protocol/openid-connect/certs

curl: (60) SSL certificate problem: self signed certificate

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

But the URL is valid from the pod with “–insecure” (“-k”):

mosip@admin-service-d7578b5f9-zdkkx:~$ curl -k https://iam.msp.xxx.yy/auth/realms/mosip/protocol/openid-connect/certs

{"keys":[{"kid":"Wdt50ifLasDi3XSmvsq4O8vCC-trLTPgrYcbcGmKgvA","kty":"RSA","alg":"RS256","use":"sig","n":"nZCujZof4X6DG-dY9NlSY9mOVuMwJNsGKFImgUX4tsq1Cd9sRUbNw7cBSSzwpAZQQDW0mCsrgit30ZBdpHf7q1QhfG2eXBoddHH8xdOgN7ImZ4CAJfyva5yTp5pnX3cNh9Fb6jCkyYIp0qRZ-2FJqZK6tAtbY8FkZQRgrhzNFLuhRmmCuvWLzoOxG2_uT4CVuAEJ8DiV3EmiQKyg-uFLQu8hQ5czF3uafLkZN0tdEiSaHgkXuxOCaUQ3q3WRHohH1C8SuY-tJzLZwlmxwOSVxOpvR4vXsEI5P4NjMwETGQ0ZkxKdLmfe8m8DQyctUjTxI7pdt8LrMgk7XHvrd7Owzw","e":"AQAB","x5c":["MIICmTCCAYECBgGXL9thYDANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVtb3NpcDAeFw0yNTA2MDIwODU0NTVaFw0zNTA2MDIwODU2MzVaMBAxDjAMBgNVBAMMBW1vc2lwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZCujZof4X6DG+dY9NlSY9mOVuMwJNsGKFImgUX4tsq1Cd9sRUbNw7cBSSzwpAZQQDW0mCsrgit30ZBdpHf7q1QhfG2eXBoddHH8xdOgN7ImZ4CAJfyva5yTp5pnX3cNh9Fb6jCkyYIp0qRZ+2FJqZK6tAtbY8FkZQRgrhzNFLuhRmmCuvWLzoOxG2/uT4CVuAEJ8DiV3EmiQKyg+uFLQu8hQ5czF3uafLkZN0tdEiSaHgkXuxOCaUQ3q3WRHohH1C8SuY+tJzLZwlmxwOSVxOpvR4vXsEI5P4NjMwETGQ0ZkxKdLmfe8m8DQyctUjTxI7pdt8LrMgk7XHvrd7OwzwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAFp1T7FNU3vfV5PvJA9OpEpHEq24ascpycD6+RQc4hC2D7sktOA5R3SdEErtGzQFqbXOsA4piAy738VQNK10B27fCgEdMPLRi8yJPW1EMWEu4tmC8OmezS4P3Ru3uCxhF4wA3hGni2Dtmguq/7F64OkR11edCNOz7iMRUKCboWA5CrfLx3x115daf2NGUkiyNgHiARxgfH3hOgFIIrDYh/UJjDu6lPkgQNnpzxK5z5ZRyZxinmf8ORm5prkB9TQ8B7XHMPc5yAP34E/+XUErvA7rxQlWkEjiLhhzEN367pkb4XbHP+itLgSOcvLhHqqBE3QuiNuasAhfv6ycpgkzc7"],"x5t":"XfjMJJLntrGO8rO-Vp2ae-fsHfA","x5t#S256":"GQs34cltFu3a8f8wL7BTf7BTUDLYFzA8gtigvHwQfvc"},{"kid":"iHpDREw2X6V_4wGTE6sYlIDDyntpzWbVhpD7N9D1vgU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"oLglV5fne8qJRofDUAo4MQ4PA9KNAEbyBomaAoJiyVPpFJQIAS86DPWHtTqwZ4lVOEM9PnZFRjEXzx_P0L1bZQvVScWqwcrDcrRANLOFnbC4QMNPElk6RTiYELXVsjz1h9LjpRDJKMD4rYPmcifpj-D5uJwCX7OujdxcymsESjJ60eRZndJ30VPOinVQMHvM0jFs4qaJAyzUI_ocuWT-CGR5xfKNLO4TYT9BLDpo7qogLeGc1M1w4f871d-8mJdlzNClZ7HGItK7Uwl7lOh2Hrx4f4hNFfAQQwneRhUt6995CNwlXZI4K1a9raeESj6JNaqxVHahX_6ez4DvkhhLBQ","e":"AQAB","x5c":["MIICmTCCAYECBgGXL9th2zANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVtb3NpcDAeFw0yNTA2MDIwODU0NTZaFw0zNTA2MDIwODU2MzZaMBAxDjAMBgNVBAMMBW1vc2lwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoLglV5fne8qJRofDUAo4MQ4PA9KNAEbyBomaAoJiyVPpFJQIAS86DPWHtTqwZ4lVOEM9PnZFRjEXzx/P0L1bZQvVScWqwcrDcrRANLOFnbC4QMNPElk6RTiYELXVsjz1h9LjpRDJKMD4rYPmcifpj+D5uJwCX7OujdxcymsESjJ60eRZndJ30VPOinVQMHvM0jFs4qaJAyzUI/ocuWT+CGR5xfKNLO4TYT9BLDpo7qogLeGc1M1w4f871d+8mJdlzNClZ7HGItK7Uwl7lOh2Hrx4f4hNFfAQQwneRhUt6995CNwlXZI4K1a9raeESj6JNaqxVHahX/6ez4DvkhhLBQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAWplQJNuHPH6OISvoz8cbBxmwdty2lRIukHnlP1OziqLeWRIkc/niLuSTmrCXPsfm3GXTe5KPQLvjXzxgzrwMjeD+QwyA1tmpbG2iKDy7btZN8MbZwSiC+TpBwlVDn0mnIr5CshZhwXYukFTa2wR0UZIPpsgkAj2kar6bwPqvLLzZHr33EZQ8k2NNox0qx43nBTapkQrGh45AHsX59uknzDkRkOvmN6Pygt5BMZRhAWgt9g2w7a1m2JEN8MtcNJcliyjGDljMZfgXJD8nIJbYUZd0gPu8buyMJkKH28Kzadiy5w2D2CPC11QeQpcXsTBw35LkNKd8jpZPog2VK74kh"],"x5t":"-Tw2ZT-8xiH4WmiT_7G-8FmZfqw","x5t#S256":"e4TYV-hdJEBwhJHCWvZRBmaCDSnlMJY_0vmt1Iz6GdI"}]}

It looks like there is a certificate validation issue but I’m not sure.

I don’t know what to do from here. Any help would be greatly appreciated!

Dear @david.didier ,

Welcome to the community and thank you for reaching out, We are looking into your query and let me ask one of our experts to respond to you here with solution input.

Best Regards
Team MOSIP

Hi @david.didier

Please refer to the configuration change highlighted in the following link for more details:
admin-default.properties – Line 211

Ensure that the corresponding property in your admin-default.properties file, which is being referenced by your config-server, is updated accordingly. After making the change, kindly restart the Admin module services to apply the updated configuration.

This should help resolve the error you’re encountering.

Best Regards,
Team MOSIP