Keycloak Docker HTTPS required

Question

I have initialized https://hub.docker.com/r/jboss/keycloak/ on my Digital Ocean Docker Droplet.

$docker run -e KEYCLOAK_USER=admin -e -p 8080:8080 KEYCLOAK_PASSWORD={password with upcase etc.} jboss/keycloak

success

Everything worked well and the server started in the Droplets IP address on a port :8080.

Problems started when I entered the admin console from the UI in the URL. There was a message: "HTTPS required". This was a real issue and the only solution I have found is to login to the Keycloak from the console and to change the setting of HTTPS=required from admin console without the UI.

I then opened the bash for my Docker container :

$docker exec -it keycloak bash

success

As I entered my command to login in the keycloak/bin folder:

cd keycloak/bin

keycloak/bin $./kcadm.sh config credentials --server http://<droplet IP>:8080/auth --realm master --user admin --password {password with upcase etc.}

the bash freezes and gives a timeout message after some time

Reason for logging in from bash would be complete this:

keycloak/bin $ ./kcadm.sh update realms/master -s sslRequired=NONE.

which would hopefully solve the original problem of HTTPS required.

Answer 1

Update Feb 2022:

Keycloak 17+ (e.g. quay.io/keycloak/keycloak:17.0.0) doesn't support autogeneration of selfsigned cert. Minimal HTTPS working example for Keycloak 17+:

1.) Generate selfsigned domain cert/key (follow instructions on your terminal):

openssl req -newkey rsa:2048 -nodes \   -keyout server.key.pem -x509 -days 3650 -out server.crt.pem 

2.) Update permissions for the key

chmod 755 server.key.pem 

3.) Start Keycloak (use volumes for cert/key):

docker run \   --name keycloak \   -e KEYCLOAK_ADMIN=admin \   -e KEYCLOAK_ADMIN_PASSWORD=password \   -e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt.pem \   -e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key.pem \   -v $PWD/server.crt.pem:/opt/keycloak/conf/server.crt.pem \   -v $PWD/server.key.pem:/opt/keycloak/conf/server.key.pem \   -p 8443:8443 \   quay.io/keycloak/keycloak:17.0.0 \   start-dev 

Keycloak will be exposed on port 8443 with HTTPS protocol with this setup. If you use also proxy (e.g. nginx) you will need to configure also env variable KC_PROXY properly (e.g. KC_PROXY=edge). Of course you can use also keycloak.conf file instead of env variables.

---

Old answer for Keycloak up to 16.1.1 and Keycloak legacy 17+:

Publish port 8443 (HTTPS) and use it instead of 8080 (HTTP):

docker run \   --name keycloak \   -e KEYCLOAK_USER=myadmin \   -e KEYCLOAK_PASSWORD=mypassword \   -p 8443:8443 \   jboss/keycloak 

Keycloak generates self signed cert for https in this setup. Of course, this is not a production setup.

---

Update

Use volumes for own TLS certificate:

  -v /<path>/tls.crt:/etc/x509/https/tls.crt \   -v /<path>/tls.key:/etc/x509/https/tls.key \