Fixed: Unable to locate keystore file

Hi community,

I’ve been using keycloak for about a year to secure access to 2 separate web applications.
With one app, I’m using OpenID Connect proxy authentication to put the app behind authentication.

This has worked well for around one year. Since 7 days, whenever I want to access this app, I’m just getting a blank webpage stating
There was an error while logging in: accessing discovery url ( failed: 10: certificate has expired.
Whenever I got to the dicovery url, the site appears secure from within firefox.

I’m not exactly sure what’s causing this issue.

Keycloak is run in docker, behind (dockerized) nginx with lets encrypt taking care of the certificates incl renewal.
The oidc proxy is also run behind that reverse proxy.

The only error message that I see within keycloak is the following:

WARN [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY00023: KeyStore file ‘/opt/jboss/keycloak/standalone/configuration/application.keystore’ does not exist. Used blank.


WARN [org.wildfly.extension.elytron] (MSC service thread 1-1) WFLYELY01084: KeyStore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self-signed certificate for host localhost

While I had not shared any LE certs with the ‘/etc/x509/https’ container path previously, I have now even tried that. tls.crt and tls.key are both visible inside the container, but still without success.

Do I somehow force the keystore generation manually?

Any ideas on what I could try / what’s causing the error would really help me a lot!
(Currently, all users are locked out from using our app.)

What baffles me the most is that nothing changed for a year, it just suddenly happened.
I checked the logs and the first time this issue appeared was late Sept 30th. Could this perhaps be realted?: Sept. 30, 2021: Will we see trouble with old Let's Encrypt certificates? | Born's Tech and Windows World

Setup of keycloak and nginx follow this example: GitHub - jinnerbichler/keycloak-nginx: Example for using NGINX as reverse proxy for Keycloak.

hi mbonn,

Thanks for your answer.
From the article I take the following:

If clients of your API are using OpenSSL, they must use version 1.1.0 or later.

What do these “clients” refer to in my setup.
Is that the lets encrypt docker, the oidc proxy or the keycloak docker?



The oidc proxy, I think. The oauth-proxy does backchannel SSL-queries to keycloak which it is not able to validate. If firefox has no problems, but backchannel scripts have problems, this often lies in certificates which are delivered without the full signing chain.


1 Like

Thanks a lot for replying.

I realise this is a bit of a stretch to ask, but do you have any clue on how I could remedy this?

Been trying for the past 10 hours without luck.

This is the repo in question:

Maintainer doesn’t seem to be too active :frowning:

Any answers would be more then appreciated, but I understadn that this gets very specific now.

You need to bump all version in the Dockerfile for the resty image at least ( the base image is 3 years old and probably the additional libs also could use a bump.

( Side note: for anything security related you should always follow the latest upstream version as close as possible anyway.)

1 Like

You could look at Network Graph · evry/docker-oidc-proxy · GitHub and check if there are forks with needed updates already…

1 Like

Maybe a switch to

could also be an option…

1 Like

Yes, thank you very much.

@mbonn, I tried my way around OAuth2 Proxy, but couldn’t get it to run. Mostly a problem of understanding from my side.

Ugrading topenrest in the Dockerfile fixed it for me.
FROM openresty/openresty:

For anyone in the future running into this problem:
Here’s the PR: Update OpenResty to v1.19.9.1 by gregnr · Pull Request #21 · evry/docker-oidc-proxy · GitHub

and the “new” repository, as the old one doesn’t seem active anymore:

Thank you very much for all your help!!