So I want to use a Keycloak instance inside a Docker container, proxied by Nginx.
I want my Keycloak server to use HTTPS. For some reason, I get "Connection not secure in the browser" even though I followed the steps for using SSL.
https://hub.docker.com/r/jboss/keycloak/
Keycloak image allows you to specify both a private key and a certificate for serving HTTPS over port 8443. In that case you need to provide two files:
tls.crt - a certificate
tls.key - a private key
Those files need to be mounted in /etc/x509/https directory. The image will automatically convert them into a Java keystore and reconfigure Wildfly to use it. NOTE: When using volume mounts in containers the files will be mounted in the container as owned by root, as the default permission on the keyfile will most likely be 700 it will result in an empty keystore. You will either have to make the key world readable or extend the image to add the keys with the appropriate owner.
My Keycloak container looks like this inside the docker-compose:
keycloak:
depends_on:
- mediere-api
container_name: best-keycloak
image: jboss/keycloak:${KEYCLOAK_VERSION}
restart: unless-stopped
env_file:
- .env
volumes:
- ../../mediere-react/certs/fullchain.pem:/etc/x509/https/tls.crt
- ../../mediere-react/certs/privkey.pem:/etc/x509/https/tls.key
expose:
- "8443"
.env
KEYCLOAK_VERSION=16.1.0
KEYCLOAK_HTTPS_PORT= 8443
PROXY_ADDRESS_FORWARDING=true
nginx
upstream keycloak_backend {
server keycloak:8443;
}
server {
listen 443 ssl;
server_name auth.mywebserver.com;
ssl_certificate /etc/nginx/certs/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/nginx/certs/privkey.pem; # managed by Certbot
location /auth/ {
proxy_pass "https://keycloak_backend/auth/";
}
location /auth/admin {
proxy_pass "https://keycloak_backend/auth/admin";
}
}
Container logs
11:24:09,710 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) starting
11:24:09,928 INFO [org.jboss.vfs] (MSC service thread 1-1) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-18.0.0.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS()
WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
11:24:11,689 INFO [org.wildfly.security] (ServerService Thread Pool -- 19) ELY00001: WildFly Elytron version 1.18.1.Final
11:24:14,254 WARN [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank.
11:24:14,282 WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost
11:24:14,440 INFO [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
11:24:14,729 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
11:24:14,741 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) started in 5609ms - Started 49 of 72 services (24 services are lazy, passive or on-demand)
The batch executed successfully
11:24:15,163 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) stopped in 33ms
11:24:17,976 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 2.0.0.Final
11:24:18,110 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.13.Final
11:24:18,126 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.4.0.Final
11:24:18,356 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) starting
11:24:18,512 INFO [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-18.0.0.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS()
WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
11:24:20,262 INFO [org.wildfly.security] (ServerService Thread Pool -- 21) ELY00001: WildFly Elytron version 1.18.1.Final
11:24:23,068 WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank.
11:24:23,093 WARN [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost
11:24:23,213 INFO [org.jboss.as.patching] (MSC service thread 1-1) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
11:24:23,523 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
11:24:23,533 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) started in 5533ms - Started 49 of 79 services (31 services are lazy, passive or on-demand)
The batch executed successfully
11:24:23,951 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) stopped in 31ms
Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..
HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks
=========================================================================
JBoss Bootstrap Environment
JBOSS_HOME: /opt/jboss/keycloak
JAVA: java
JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED
=========================================================================
11:24:46,662 INFO [org.jboss.modules] (main) JBoss Modules version 2.0.0.Final
11:24:48,087 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.13.Final
11:24:48,135 INFO [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final
11:24:48,440 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) starting
11:24:48,629 INFO [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-18.0.0.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS()
WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
11:24:50,529 INFO [org.wildfly.security] (ServerService Thread Pool -- 21) ELY00001: WildFly Elytron version 1.18.1.Final
11:24:53,539 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
11:24:53,592 INFO [org.xnio] (MSC service thread 1-2) XNIO version 3.8.5.Final
11:24:53,620 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO Implementation Version 3.8.5.Final
11:24:53,734 INFO [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 5.0.23.Final
11:24:53,790 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 42) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 4.2.11
11:24:53,797 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49) WFLYNAM0001: Activating Naming Subsystem
11:24:53,781 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 53) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.
11:24:53,873 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 38) WFLYCLINF0001: Activating Infinispan subsystem.
11:24:53,850 INFO [org.jboss.as.jaxrs] (ServerService Thread Pool -- 40) WFLYRS0016: RESTEasy version 4.7.4.Final
11:24:53,911 INFO [org.wildfly.extension.health] (ServerService Thread Pool -- 37) WFLYHEALTH0001: Activating Base Health Subsystem
11:24:53,929 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 39) WFLYIO001: Worker 'default' has auto-configured to 2 IO threads with 16 max task threads based on your 1 available processors
11:24:53,979 INFO [org.wildfly.extension.metrics] (ServerService Thread Pool -- 47) WFLYMETRICS0001: Activating Base Metrics Subsystem
11:24:54,168 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 32) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.4)
11:24:54,170 INFO [org.jboss.as.connector] (MSC service thread 1-1) WFLYJCA0009: Starting Jakarta Connectors Subsystem (WildFly/IronJacamar 1.5.3.Final)
11:24:54,330 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 32) WFLYJCA0005: Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 42.2)
11:24:54,593 WARN [org.wildfly.clustering.web.undertow] (ServerService Thread Pool -- 54) WFLYCLWEBUT0007: No routing provider found for default-server; using legacy provider based on static configuration
11:24:54,571 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
11:24:54,600 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = postgresql
11:24:54,602 INFO [org.jboss.as.naming] (MSC service thread 1-1) WFLYNAM0003: Starting Naming Service
11:24:54,628 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0003: Undertow 2.2.14.Final starting
11:24:54,656 INFO [org.jboss.as.mail.extension] (MSC service thread 1-1) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
11:24:54,755 INFO [org.jboss.as.ejb3] (MSC service thread 1-2) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 16 (per class), which is derived from thread worker pool sizing.
11:24:54,765 INFO [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 4 (per class), which is derived from the number of CPUs on this host.
11:24:54,806 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 54) WFLYUT0014: Creating file handler for path '/opt/jboss/keycloak/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]']
11:24:55,293 WARN [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank.
11:24:56,018 WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost
11:24:56,113 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0012: Started server default-server.
11:24:56,550 INFO [org.jboss.as.patching] (MSC service thread 1-1) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
11:24:56,554 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) Queuing requests.
11:24:56,557 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0018: Host default-host starting
11:24:56,653 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on 0.0.0.0:8009
11:24:56,658 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTP listener default listening on 0.0.0.0:8080
11:24:56,706 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-1) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/jboss/keycloak/standalone/deployments
11:24:56,773 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war")
11:24:56,785 INFO [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0493: Jakarta Enterprise Beans subsystem suspension complete
11:24:56,853 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 56) MODCLUSTER000001: Initializing mod_cluster version 1.4.4.Final
11:24:56,883 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 56) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364
11:24:57,026 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTPS listener https listening on 0.0.0.0:8443
11:24:57,238 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
11:24:57,239 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
11:24:58,267 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 56) JGRP000015: the receive buffer of socket ManagedMulticastSocketBinding was set to 20.00MB, but the OS only allocated 12.58MB
11:24:58,270 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 56) JGRP000015: the receive buffer of socket ManagedMulticastSocketBinding was set to 25.00MB, but the OS only allocated 12.58MB
11:25:01,302 INFO [org.jgroups.protocols.pbcast.GMS] (ServerService Thread Pool -- 56) e1768863cdfb: no members discovered after 3007 ms: creating cluster as coordinator
11:25:02,944 INFO [org.infinispan.CONTAINER] (ServerService Thread Pool -- 60) ISPN000556: Starting user marshaller 'org.wildfly.clustering.infinispan.marshalling.jboss.JBossMarshaller'
11:25:02,942 INFO [org.infinispan.CONTAINER] (ServerService Thread Pool -- 58) ISPN000128: Infinispan version: Infinispan 'Taedonggang' 12.1.7.Final
11:25:02,946 INFO [org.infinispan.CONTAINER] (ServerService Thread Pool -- 57) ISPN000556: Starting user marshaller 'org.wildfly.clustering.infinispan.spi.marshalling.InfinispanProtoStreamMarshaller'
11:25:02,947 INFO [org.infinispan.CONTAINER] (ServerService Thread Pool -- 56) ISPN000556: Starting user marshaller 'org.wildfly.clustering.infinispan.spi.marshalling.InfinispanProtoStreamMarshaller'
11:25:02,957 INFO [org.infinispan.CONTAINER] (ServerService Thread Pool -- 58) ISPN000556: Starting user marshaller 'org.wildfly.clustering.infinispan.spi.marshalling.InfinispanProtoStreamMarshaller'
11:25:03,032 INFO [org.infinispan.CONTAINER] (ServerService Thread Pool -- 59) ISPN000556: Starting user marshaller 'org.wildfly.clustering.infinispan.marshalling.jboss.JBossMarshaller'
11:25:03,308 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 56) ISPN000078: Starting JGroups channel ejb
11:25:03,304 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 58) ISPN000078: Starting JGroups channel ejb
11:25:03,314 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 60) ISPN000078: Starting JGroups channel ejb
11:25:03,314 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 57) ISPN000078: Starting JGroups channel ejb
11:25:03,315 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 59) ISPN000078: Starting JGroups channel ejb
11:25:03,328 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 59) ISPN000094: Received new cluster view for channel ejb: [e1768863cdfb|0] (1) [e1768863cdfb]
11:25:03,330 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 58) ISPN000094: Received new cluster view for channel ejb: [e1768863cdfb|0] (1) [e1768863cdfb]
11:25:03,330 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 60) ISPN000094: Received new cluster view for channel ejb: [e1768863cdfb|0] (1) [e1768863cdfb]
11:25:03,342 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 56) ISPN000094: Received new cluster view for channel ejb: [e1768863cdfb|0] (1) [e1768863cdfb]
11:25:03,356 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 59) ISPN000079: Channel ejb local address is e1768863cdfb, physical addresses are [192.168.16.5:55200]
11:25:03,363 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 56) ISPN000079: Channel ejb local address is e1768863cdfb, physical addresses are [192.168.16.5:55200]
11:25:03,379 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 60) ISPN000079: Channel ejb local address is e1768863cdfb, physical addresses are [192.168.16.5:55200]
11:25:03,387 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 57) ISPN000094: Received new cluster view for channel ejb: [e1768863cdfb|0] (1) [e1768863cdfb]
11:25:03,395 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 58) ISPN000079: Channel ejb local address is e1768863cdfb, physical addresses are [192.168.16.5:55200]
11:25:03,421 INFO [org.infinispan.CLUSTER] (ServerService Thread Pool -- 57) ISPN000079: Channel ejb local address is e1768863cdfb, physical addresses are [192.168.16.5:55200]
11:25:03,509 INFO [org.infinispan.CONFIG] (MSC service thread 1-1) ISPN000152: Passivation configured without an eviction policy being selected. Only manually evicted entities will be passivated.
11:25:03,520 INFO [org.infinispan.CONFIG] (MSC service thread 1-1) ISPN000152: Passivation configured without an eviction policy being selected. Only manually evicted entities will be passivated.
11:25:04,593 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started http-remoting-connector cache from ejb container
11:25:05,148 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0002: Started work cache from keycloak container
11:25:05,144 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0002: Started offlineClientSessions cache from keycloak container
11:25:05,160 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0002: Started actionTokens cache from keycloak container
11:25:05,204 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0002: Started loginFailures cache from keycloak container
11:25:05,219 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started clientSessions cache from keycloak container
11:25:05,225 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 68) WFLYCLINF0002: Started sessions cache from keycloak container
11:25:05,240 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 67) WFLYCLINF0002: Started authenticationSessions cache from keycloak container
11:25:05,253 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started offlineSessions cache from keycloak container
11:25:05,299 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 64) WFLYCLINF0002: Started users cache from keycloak container
11:25:05,302 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 65) WFLYCLINF0002: Started keys cache from keycloak container
11:25:05,306 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realms cache from keycloak container
11:25:05,308 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started authorization cache from keycloak container
11:25:05,654 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0273: Excluded subsystem webservices via jboss-deployment-structure.xml does not exist.
11:25:06,542 INFO [org.keycloak.services] (ServerService Thread Pool -- 56) KC-SERVICES0001: Loading config from standalone.xml or domain.xml
11:25:07,203 INFO [org.keycloak.url.DefaultHostnameProviderFactory] (ServerService Thread Pool -- 56) Frontend: <request>, Admin: <frontend>, Backend: <request>
11:25:08,420 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realmRevisions cache from keycloak container
11:25:08,447 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started userRevisions cache from keycloak container
11:25:08,467 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container
11:25:08,473 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 56) Node name: e1768863cdfb, Site name: null
11:25:14,856 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 56) HHH000204: Processing PersistenceUnitInfo [
name: keycloak-default
...]
11:25:15,030 INFO [org.hibernate.Version] (ServerService Thread Pool -- 56) HHH000412: Hibernate Core {5.3.24.Final}
11:25:15,037 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 56) HHH000206: hibernate.properties not found
11:25:15,455 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 56) HCANN000001: Hibernate Commons Annotations {5.0.5.Final}
11:25:15,910 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 56) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL95Dialect
11:25:16,411 INFO [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl] (ServerService Thread Pool -- 56) HHH000424: Disabling contextual LOB creation as createClob() method threw error : java.lang.reflect.InvocationTargetException
11:25:16,427 INFO [org.hibernate.type.BasicTypeRegistry] (ServerService Thread Pool -- 56) HHH000270: Type registration [java.util.UUID] overrides previous : org.hibernate.type.UUIDBinaryType@2851ff1a
11:25:16,448 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 56) Envers integration enabled? : true
11:25:17,248 INFO [org.hibernate.orm.beans] (ServerService Thread Pool -- 56) HHH10005002: No explicit CDI BeanManager reference was passed to Hibernate, but CDI is available on the Hibernate ClassLoader.
11:25:17,884 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 56) HV000001: Hibernate Validator 6.0.22.Final
11:25:21,348 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 56) HHH000397: Using ASTQueryTranslatorFactory
11:25:23,142 INFO [org.keycloak.services] (ServerService Thread Pool -- 56) KC-SERVICES0006: Importing users from '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json'
11:25:23,494 WARN [org.keycloak.services] (ServerService Thread Pool -- 56) KC-SERVICES0104: Not creating user octavianadmin. It already exists.
11:25:24,396 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002225: Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication
11:25:24,399 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002205: Adding provider class org.keycloak.services.filters.KeycloakSecurityHeadersFilter from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,410 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002200: Adding class resource org.keycloak.services.resources.JsResource from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,412 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002205: Adding provider class org.keycloak.services.error.KeycloakErrorHandler from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,413 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002200: Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,415 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.WelcomeResource from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,415 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,416 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,417 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002210: Adding provider singleton org.keycloak.services.util.ObjectMapperResolver from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,418 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 56) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RobotsResource from Application class org.keycloak.services.resources.KeycloakApplication
11:25:24,601 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 56) WFLYUT0021: Registered web context: '/auth' for server 'default-server'
11:25:24,818 INFO [org.jboss.as.server] (ServerService Thread Pool -- 45) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
11:25:25,005 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
11:25:25,018 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 16.1.0 (WildFly Core 18.0.0.Final) started in 394
54ms - Started 678 of 979 services (696 services are lazy, passive or on-demand)
11:25:25,024 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
11:25:25,026 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
What’s really strange for me is this error:
11:24:14,254 WARN [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY00023: KeyStore file '/opt/jboss/keycloak/standalone/configuration/application.keystore' does not exist. Used blank.
11:24:14,282 WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost
At the end of the file, http is shown (not https). I want to disable all HTTP and have everything on HTTPS.
The actual config works right now, but I get connection not secure, while I’m using the same SSL certificate for the main domain and it works fine there.(example.com, while keycloak points at auth.example.com)
So I suspect this might be something related to keycloak.
Can anybody help me fix "connection not secure?"
Thanks.
2
Answers
The problem was that I was using the same certificate for both my domain and subdomain and it wasn't a wildcard certificate. :(
Generating another certificate for my subdomain fixed it.
It seems to me you mounted volumes onto the path where Keycloak expects the private key and certificate files. That may result in directories being created on that level, and Keycloak cannot load the files as expected.
Try placing both files into one directory, then mount that directory.
In any case verify by going into the container and check the available files.