Deploying Keycloak in production: Cannot set quarkus.http.redirect-insecure-requests without enabling SSL

Question

For already few hours I am struggling with getting Keycloak in production mode to work. When I try to run Keycloak in production, I get the next error:

keycloak    | 2022-05-25 16:32:43,094 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
keycloak    | 2022-05-25 16:32:43,164 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
keycloak    | 2022-05-25 16:32:43,165 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Cannot set quarkus.http.redirect-insecure-requests without enabling SSL.
keycloak    | 2022-05-25 16:32:43,165 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

My docker-compose file:

  keycloak:
#    depends_on:
#      - postgres_data
    container_name: keycloak
    environment:
      DB_VENDOR: postgres
      DB_ADDR: postgres
      DB_DATABASE: ${POSTGRESQL_DB}
      DB_USER: ${POSTGRESQL_USER}
      DB_PASSWORD: ${POSTGRESQL_PASS}
      KEYCLOAK_ADMIN: ${KEYCLOAK_USER}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_PASSWORD}
      VIRTUAL_PORT: "8080"
      PROXY_ADDRESS_FORWARDING: "true"
      
      
    image: quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
    volumes:
      - ./theme/:/opt/keycloak/themes/metronic-theme/
      - ./keys/:/opt/keycloak/conf/keys/
    ports:
      - "8082:8080"
    restart: unless-stopped
    command:
      - start --proxy=passthrough --hostname="myhostname" --hostname-strict-backchannel=true --https-certificate-file=/opt/keycloak/conf/keys/server.crt.pem --https-certificate-file=/opt/keycloak/conf/keys/server.key.pem

I am trying to deploy this on version 18.0.0.

Answer 1

There's a problem in the commands you add to the command: section of your docker compose: You define https-certificate-file twice, the one for the key should be https-certificate-key-file - see ref at the new TLS guide

That said, you are also mixing "old" wildfly environment variables with new ones from the quarkus based distribution. See e.g. the database guide and the reverse proxy guide for the equivalent parameters in the new distribution. e.g. PROXY_ADDRESS_FORWARDING is now KC_PROXY=edge/passthrough/...

In general, you should look at the new guides, every guide has the corresponding params at the bottom, when you open up a key you see the different formats (CLI, ENV) for the key.

Sidenote: You can now also configure Keycloak using only env variables or the CLI, not both.