skip to Main Content

When trying to run Keycloak in production mode using docker compose, the following error occurs:

keycloak  | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
keycloak  | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /etc/x509/https/tls.key

I have followed this guide.

My docker-compose.yaml:

services:
  postgres:
    container_name: postgres_keycloak
    image: postgres:16
    healthcheck:
      test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "root" ]
      timeout: 45s
      interval: 10s
      retries: 10
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./sql:/docker-entrypoint-initdb.d/:ro # turn it on, if you need run init DB
    environment:
      POSTGRES_USER: kc
      POSTGRES_PASSWORD: <pass>
      POSTGRES_DB: keycloak
      POSTGRES_HOST: postgres
    networks:
      - keycloak_network

  keycloak:
    container_name: keycloak
    healthcheck:
      test: [ "CMD", "curl", "--head","fsS", "http://localhost:8080/health/ready" ]
      interval: 5s
      timeout: 2s
      retries: 15
    build:
      context: .
      args:
        KEYCLOAK_VERSION: 22.0.0
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: <pass>
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres/keycloak
      KC_DB_USERNAME: kc
      KC_DB_PASSWORD: <pass>
      KC_HOSTNAME: <domain>
      KC_HTTP_RELATIVE_PATH: /auth
      KC_PROXY: passthrough
      KC_HTTPS_CERTIFICATE_FILE: /etc/x509/https/tls.crt
      KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/x509/https/tls.key
    ports:
      - "9090:8080"
    networks:
      - keycloak_network
    command:
      - start --optimized
    volumes:
      - ./certs/fullchain.pem:/etc/x509/https/tls.crt
      - ./certs/privkey.pem:/etc/x509/https/tls.key

volumes:
  postgres_data:

networks:
  keycloak_network:
    driver: bridge

As far as I understand this is a file permission problem or the files are not mounted correctly. How can I solve this?

2

Answers


  1. Chosen as BEST ANSWER

    I bypassed this problem by using nginx as a reversed proxy and setting KC_HOSTNAME_STRICT_HTTPS: false. https://www.keycloak.org/server/reverseproxy


  2. The issue must be a permission problem.

    So, you have to check the user permission for your certificate or key location. Just try to view the file.

    # docker exec -it <container_id> cat /etc/x509/https/tls.key
    cat: /etc/x509/https/tls.key: Permission denied
    

    To execute above command, you have to do following two steps:

    1. run the container in start-dev (development mode).
    2. with volume which has included tls.key

    Now after that, just try this command for Private Key located on Host:

    chmod -R 644 /etc/privt/certs/tls.key
    

    After this, just try above same command to cat the key file.

    # docker exec -it <container_id> cat /etc/x509/https/tls.key
    
    -----BEGIN CERTIFICATE-----
    MIIGLTCCBRWgAwIBAgIRAMvuTcdhvfdlv....
    

    Now the permission issue is solved!

    Now you can can down the container (using compose file) and change the command from start-dev to start or start --optimized and again up the container (using compose file).

    Now check the logs of Keycloak container and you see there is no error log.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search