When trying to run Keycloak in production mode using docker compose, the following error occurs:
keycloak | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
keycloak | 2023-10-30 15:13:12,276 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /etc/x509/https/tls.key
I have followed this guide.
My docker-compose.yaml:
services:
postgres:
container_name: postgres_keycloak
image: postgres:16
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "root" ]
timeout: 45s
interval: 10s
retries: 10
volumes:
- postgres_data:/var/lib/postgresql/data
- ./sql:/docker-entrypoint-initdb.d/:ro # turn it on, if you need run init DB
environment:
POSTGRES_USER: kc
POSTGRES_PASSWORD: <pass>
POSTGRES_DB: keycloak
POSTGRES_HOST: postgres
networks:
- keycloak_network
keycloak:
container_name: keycloak
healthcheck:
test: [ "CMD", "curl", "--head","fsS", "http://localhost:8080/health/ready" ]
interval: 5s
timeout: 2s
retries: 15
build:
context: .
args:
KEYCLOAK_VERSION: 22.0.0
depends_on:
postgres:
condition: service_healthy
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: <pass>
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres/keycloak
KC_DB_USERNAME: kc
KC_DB_PASSWORD: <pass>
KC_HOSTNAME: <domain>
KC_HTTP_RELATIVE_PATH: /auth
KC_PROXY: passthrough
KC_HTTPS_CERTIFICATE_FILE: /etc/x509/https/tls.crt
KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/x509/https/tls.key
ports:
- "9090:8080"
networks:
- keycloak_network
command:
- start --optimized
volumes:
- ./certs/fullchain.pem:/etc/x509/https/tls.crt
- ./certs/privkey.pem:/etc/x509/https/tls.key
volumes:
postgres_data:
networks:
keycloak_network:
driver: bridge
As far as I understand this is a file permission problem or the files are not mounted correctly. How can I solve this?
I bypassed this problem by using nginx as a reversed proxy and setting KC_HOSTNAME_STRICT_HTTPS: false.
https://www.keycloak.org/server/reverseproxy