Question 81113 in Docker Question posted in
The official documentation can be found here.

Cannot start keycloak in docker with letsencrypt certificates

I can run Keycloak with the following command

./bin/kc.sh start-dev 
--https-certificate-file=/etc/letsencrypt/live/$HOSTNAME/cert.pem 
--https-certificate-key-file=/etc/letsencrypt/live/$HOSTNAME/privkey.pem 
--hostname=$HOSTNAME

Works as expected

On the same computer, I try to run using Docker

docker run -p 80:8080 -p 443:8443 
  -v /etc/letsencrypt:/etc/letsencrypt:ro 
  -e KEYCLOAK_ADMIN=admin 
  -e KEYCLOAK_ADMIN_PASSWORD=change_me 
  -e JAVA_OPTS_APPEND="$JAVA_OPTS_APPEND" 
  quay.io/keycloak/keycloak:latest 
  start-dev 
  --https-certificate-file=/ect/letsencrypt/live/$HOSTNAME/cert.pem 
  --https-certificate-key-file=/ect/letsencrypt/live/$HOSTNAME/privkey.pem 
  --hostname=$HOSTNAME

It fails

2022-12-23 23:11:59,784 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
2022-12-23 23:11:59,785 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /ect/letsencrypt/live/keycloak.fhir-poc.hcs.us.com/cert.pem
2022-12-23 23:11:59,787 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) Key material not provided to setup HTTPS. Please configure your keys/certificates.

Any suggestions besides a reverse proxy?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I discovered the answer letsencrypt certificates in the "live" folder are symlinks to the "archive" folder and I needed a custom docker image for keycloak to mount my certificates. So I followed the keycloak docs for creating a custom docker image and started a container with that image

    Following

    https://www.keycloak.org/server/containers

    https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates

    to build a custom image and change the cert permissions

    Dockerfile

    FROM quay.io/keycloak/keycloak:latest as builder

ENV KEYCLOAK_ADMIN=root
ENV KEYCLOAK_ADMIN_PASSWORD=change_me

WORKDIR /opt/keycloak

FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/
COPY kc-export.json /opt/keycloak/kc-export.json
RUN /opt/keycloak/bin/kc.sh import --file /opt/keycloak/kc-export.json
VOLUME [ "/opt/keycloak/certs" ]

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

    Then start the container

     docker run -p 8443:8443 
  -v /etc/letsencrypt:/etc/letsencrypt:ro 
  -e KEYCLOAK_ADMIN=admin 
  -e KEYCLOAK_ADMIN_PASSWORD=change_me 
  -e JAVA_OPTS_APPEND="$JAVA_OPTS_APPEND" 
  my-keycloak-image:latest 
  start-dev 
  --https-certificate-file=/opt/keycloak/certs/live/$HOSTNAME/cert.pem 
  --https-certificate-key-file=/opt/keycloak/certs/live/$HOSTNAME/privkey.pem 
  --hostname=$HOSTNAME

  2. 0

    The problem is based on the directory linked structure of letsencrypt in linux and the permissions to access these files.

    Letsencrypt linked directory structure works like:

    • /etc/letsencrypt/live/<your-domain/.pem -> /etc/letsencrypt/archive/<your-domain/.pem
    1. The problem is the link from the live to the archive folder/file.
    2. The permissions are mostly not correct.

    A quick-fix is create a cert-mirror and copy the related files from /etc/letsencrypt/live/<your-domain/*.pem

    • to a new cert folder like /opt/cert
    • change permissions in /opt/cert to 777: chmod 777 -R /opt/certs
    • create a cron.monthly job in /etc/cron.monthly which copy the files to /opt/certs + change permissions correctly every month that your certs mirror always up-to-date

    This will make your example working. Please keep in mind that permissions like 777 are let everyone access this file. You should use the correct permissions in productive environment.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search