keycloak: LDAPS Bind test fails with SSLHandshakeException while LDAP connection test works

Describe the bug

We are using the jboss/keycloak-docker. We are trying to connection to a LDAP (LDAP+TLS, port 636, not STARTTLS) AD verified by a sertificate signed by a itnernal CA. We import the CA certificates using the X509_CA_BUNDLE-argument, and this appears to work as both keycloak_tls_truststore_password and keycloak_tls_truststore_file is written to /opt/jboss/keycloak/bin/.jbossclirc

When testing a ldaps://ad.example.com URL in the setup for User Federation the Test connection test works, while Test authentication fails with a TLS/PKI error:

16:34:13,688 ERROR [org.keycloak.services] (default task-13) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: ad.example.com:636: javax.naming.CommunicationException: simple bind failed: ha
voc.cert.no:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested
 target]
...

Version

15.1.1 (jboss/keycloak:15.1.1)

Expected behavior

Either

• The authentication test to not fail on a TLS error since the connection test works or
• The connection fail to fail with the same TLS error as the authentication test

Actual behavior

The authentication test fails with a TLS error that was not expected since the connection test worked.

How to Reproduce?

Use a non-public CA for a LDAPS endpoint, import the CA certificate, and setup and test the connection in keycloack.

Anything else?

No response