Keycloak run with docker compose unable to access https certificate

linusum
November 20, 2023
140 views
1 vote
2 Answers

When trying to run Keycloak in production mode using docker compose, the following error occurs:

keycloak  | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
keycloak  | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /etc/x509/https/tls.key

I have followed this guide.

My docker-compose.yaml:

services:
  postgres:
    container_name: postgres_keycloak
    image: postgres:16
    healthcheck:
      test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "root" ]
      timeout: 45s
      interval: 10s
      retries: 10
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./sql:/docker-entrypoint-initdb.d/:ro # turn it on, if you need run init DB
    environment:
      POSTGRES_USER: kc
      POSTGRES_PASSWORD: <pass>
      POSTGRES_DB: keycloak
      POSTGRES_HOST: postgres
    networks:
      - keycloak_network

  keycloak:
    container_name: keycloak
    healthcheck:
      test: [ "CMD", "curl", "--head","fsS", "http://localhost:8080/health/ready" ]
      interval: 5s
      timeout: 2s
      retries: 15
    build:
      context: .
      args:
        KEYCLOAK_VERSION: 22.0.0
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: <pass>
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres/keycloak
      KC_DB_USERNAME: kc
      KC_DB_PASSWORD: <pass>
      KC_HOSTNAME: <domain>
      KC_HTTP_RELATIVE_PATH: /auth
      KC_PROXY: passthrough
      KC_HTTPS_CERTIFICATE_FILE: /etc/x509/https/tls.crt
      KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/x509/https/tls.key
    ports:
      - "9090:8080"
    networks:
      - keycloak_network
    command:
      - start --optimized
    volumes:
      - ./certs/fullchain.pem:/etc/x509/https/tls.crt
      - ./certs/privkey.pem:/etc/x509/https/tls.key

volumes:
  postgres_data:

networks:
  keycloak_network:
    driver: bridge

As far as I understand this is a file permission problem or the files are not mounted correctly. How can I solve this?

Answers

Chosen as BEST ANSWER
- linusum
- November 3, 2023 at 11:15 am
- 0 votes
0
I bypassed this problem by using nginx as a reversed proxy and setting KC_HOSTNAME_STRICT_HTTPS: false. https://www.keycloak.org/server/reverseproxy

(Edit)

- Ke_Sandaru
- November 20, 2023 at 5:44 pm
- 0 votes
0
The issue must be a permission problem.

So, you have to check the user permission for your certificate or key location. Just try to view the file.
```
# docker exec -it <container_id> cat /etc/x509/https/tls.key
cat: /etc/x509/https/tls.key: Permission denied
```
To execute above command, you have to do following two steps:
1. run the container in start-dev (development mode).
2. with volume which has included tls.key
Now after that, just try this command for Private Key located on Host:
```
chmod -R 644 /etc/privt/certs/tls.key
```
After this, just try above same command to cat the key file.
```
# docker exec -it <container_id> cat /etc/x509/https/tls.key

-----BEGIN CERTIFICATE-----
MIIGLTCCBRWgAwIBAgIRAMvuTcdhvfdlv....
```
Now the permission issue is solved!

Now you can can down the container (using compose file) and change the command from start-dev to start or start --optimized and again up the container (using compose file).

Now check the logs of Keycloak container and you see there is no error log.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.