KC ignores port configuration

a.riitano · September 6, 2024, 8:47am

Hi there.
I’m struggling to get an instance of keycloak I’m using for development to use https.
The instance, version 24.0.2, runs completely fine under HTTP on port 80, but any configuration I enable about HTTPS is simply ignored.

The current configuration I use is:

export DEBUG_PORT=*:8888;
export KC_HTTP_ENABLED=false
export KC_HTTPS_ENABLED=true
export KC_HTTP_PORT=80
export KC_HTTPS_PORT=8443
export KC_HOSTNAME="https://mydomain.com:8443"
export KC_HOSTNAME_ADMIN="https://mydomain.com:8443"
export KC_HOSTNAME_BACKCHANNEL_DYNAMIC=false
export KC_HOSTNAME_DEBUG=true
export KC_HOSTNAME_STRICT=false
export KC_LOG_LEVEL="INFO"
export KC_HTTPS_CERTIFICATE_FILE="/etc/letsencrypt/live/mydomain/fullchain.pem"
export KC_HTTPSCERTIFICATE_KEY_FILE="/etc/letsencrypt/live/mydomain.com/privkey.pem"

/data/keycloak-24.0.2/bin/kc.sh --config-file "/data/keycloak-24.0.2/conf/quarkus.conf" --verbose start-dev -DSKIP_PARSE_PERSISTENCE_XML=true --https-port 443

Which has even a redundant https-port in command line, but then:

$ netstat -tulpn | grep java
tcp6       0      0 :::45545                :::*                    LISTEN      830825/java
tcp6       0      0 127.0.0.1:44331         :::*                    LISTEN      830825/java
tcp6       0      0 :::80                   :::*                    LISTEN      830825/java

It listens on port 80, but the URL doesn’t work because it tries to load resources from https and “https” is not there to listen.

If I change the KC_HTTP_PORT, then it gets updated accordingly, but the HTTPS one is simply always ignored.

KC_HTTP_PORT=8080
...
$ netstat -tulpn | grep java
tcp6       0      0 :::8080                   :::*                    LISTEN      830825/java

I’ve already tried to cancel and recreate the H2 DB without success.

Do you have any advice on how make it work?
Thank you

embesozzi · September 6, 2024, 7:05pm

You life will be happier if you run Keycloak as Docker container [1] and even happier with Docker Compose [2]

[1] Docker - Keycloak
[2] keycloak-workshop-stepup-mfa-biometrics/docker-compose-idp.yml at main · embesozzi/keycloak-workshop-stepup-mfa-biometrics · GitHub

a.riitano · September 9, 2024, 6:10am

Thank you for your advice.
Unfortunately I cannot use docker on this host.
I have another instance running fine with docker, but in this case I really need to configure a “direct” installation.

bpedersen2 · September 9, 2024, 2:44pm

probably don’t use start-dev, instead use build and start separatly.

a.riitano · September 24, 2024, 9:56am

I tried even this, without success.
It gives me an error about processing a request with java.io.E0FException and then it hangs (it even refuse to die, I need to kill it with -9.

a.riitano · September 24, 2024, 9:59am

Anyway I found out that if I specify the ports using command line intead of ENV variables it works well:

keycloak-24.0.2/bin/ks.sh --verbose --start-dev --hostname-strict-backchannel=false --hostname-debug=true --log-level=INFO --https-certificate-file=[...] --https-certificate-key-file=[...] --debug

Listening on : http://0.0.0.0:8080 and https://0.0.0.0:8443

I wonder why…

Topic		Replies	Views
Setting the HTTP port for Keycloak-X Configuring the server	5	4402	November 10, 2022
Keycloak Quarkus SSL - unexpected Port forwarding from 8443 to 443 Configuring the server	1	654	February 28, 2022
[26.2.4] http-enabled setting not used	4	49	May 27, 2025
Configure Keycloak 20 port for start-dev	2	16107	February 1, 2023
Keycloak Kubernetes installation using port-forwarding fails as https is trying to be used when accessing Admin UI Configuring the server	0	881	February 22, 2023

KC ignores port configuration

Related topics