keycloak docker mysql connection link failure

Question

I am trying to use mysql for keycloak and have used the same config before but this time it is giving a link failure.

volumes:
  mysql_data:
    driver: local

services:
  mysql:
    image: mysql:5.7
    volumes:
       - mysql_data:/var/lib/mysql
    ports:
       - 3306:3306
    environment:
      MYSQL_ROOT_PASSWORD: root
      MYSQL_DATABASE: keycloak
      MYSQL_USER: keycloak
      MYSQL_PASSWORD: password

  keycloak:
    build: keycloak-image
    image: km-keycloak
    environment:
      PROXY_ADDRESS_FORWARDING: "true"
      DB_VENDOR: MYSQL
      DB_ADDR: mysql
      DB_DATABASE: keycloak
      DB_USER: keycloak
      DB_PASSWORD: password
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
    volumes:
      - mysql_data:/opt/jboss/mysql_data
    depends_on:
      - mysql
    links:
      - mysql

My keycloak image docker file looks like

FROM jboss/keycloak

COPY km.json /opt/jboss
COPY entrypoint.sh /opt/jboss

USER root
RUN chown jboss /opt/jboss/entrypoint.sh && chmod +x /opt/jboss/entrypoint.sh
USER 1000

ENTRYPOINT ["/opt/jboss/entrypoint.sh"]
CMD [""]

The entrypoint for key cloak looks like

#!/bin/bash

if [[ -e /opt/jboss/mysql_data/keycloak ]]; then
    /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0
else
    /opt/jboss/tools/docker-entrypoint.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file='km.json' -b 0.0.0.0
fi

The error I am getting is

Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Answer 1

Add

  JDBC_PARAMS: "useSSL=false"

to keycloak environment variables in your docker-compose file.
(e.g. directly after KEYCLOAK_PASSWORD)

Depending on your setup it's probably not necessary to use an SSL protected connection between the 2 containers.

I'm not sure why this error occurs now. It was working in keycloak version 7.0.0 but it's not working in 7.0.1 anymore. Maybe the java version changed and does not trust the default mysql-containers ssl cert anymore

ERROR [stderr] (ServerService Thread Pool -- 70) Thu Nov 14 20:55:46 UTC 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.