When trying to run Keycloak in production mode using docker compose, the following error occurs:
keycloak | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
keycloak | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /etc/x509/https/tls.key
I have followed this guide.
My docker-compose.yaml:
services:
postgres:
container_name: postgres_keycloak
image: postgres:16
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "root" ]
timeout: 45s
interval: 10s
retries: 10
volumes:
- postgres_data:/var/lib/postgresql/data
- ./sql:/docker-entrypoint-initdb.d/:ro # turn it on, if you need run init DB
environment:
POSTGRES_USER: kc
POSTGRES_PASSWORD: <pass>
POSTGRES_DB: keycloak
POSTGRES_HOST: postgres
networks:
- keycloak_network
keycloak:
container_name: keycloak
healthcheck:
test: [ "CMD", "curl", "--head","fsS", "http://localhost:8080/health/ready" ]
interval: 5s
timeout: 2s
retries: 15
build:
context: .
args:
KEYCLOAK_VERSION: 22.0.0
depends_on:
postgres:
condition: service_healthy
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: <pass>
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres/keycloak
KC_DB_USERNAME: kc
KC_DB_PASSWORD: <pass>
KC_HOSTNAME: <domain>
KC_HTTP_RELATIVE_PATH: /auth
KC_PROXY: passthrough
KC_HTTPS_CERTIFICATE_FILE: /etc/x509/https/tls.crt
KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/x509/https/tls.key
ports:
- "9090:8080"
networks:
- keycloak_network
command:
- start --optimized
volumes:
- ./certs/fullchain.pem:/etc/x509/https/tls.crt
- ./certs/privkey.pem:/etc/x509/https/tls.key
volumes:
postgres_data:
networks:
keycloak_network:
driver: bridge
As far as I understand this is a file permission problem or the files are not mounted correctly. How can I solve this?
2
Answers
I bypassed this problem by using nginx as a reversed proxy and setting
KC_HOSTNAME_STRICT_HTTPS: false
. https://www.keycloak.org/server/reverseproxyThe issue must be a permission problem.
So, you have to check the user permission for your certificate or key location. Just try to view the file.
To execute above command, you have to do following two steps:
Now after that, just try this command for Private Key located on Host:
After this, just try above same command to
cat
the key file.Now the permission issue is solved!
Now you can can down the container (using compose file) and change the command from
start-dev
tostart
orstart --optimized
and again up the container (using compose file).Now check the logs of Keycloak container and you see there is no error log.