Report this

What is the reason for this report?

How to setup domain and SSL for the keycloak droplet?

Posted on November 26, 2024

I tried to follow the tutorial on this page https://docs.digitalocean.com/products/marketplace/catalog/keycloak/ but i don’t manage that the keycloak admin url is running with a valid SSL certificate + it always redirects the domain to the IP address. How to solve that? And sorry, it’s my first experience with DigitalOcean + Keycloak.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hey there! 👋

The DigitalOcean KeyCloak Droplet uses the official Docker image, you can check out the documentation here:

https://www.keycloak.org/getting-started/getting-started-docker

The overall process, should look as follows: Before you run the certbot command you need to make sure your domain points to your Droplet’s IP address:

  • Add an A record in your DNS settings pointing your domain (e.g., example.com) to your Droplet’s public IP.
  • If you’re using DigitalOcean to manage your DNS, it should look like this:
Hostname Type Value
@ (or blank) A Your Droplet’s IP
www CNAME example.com

👉 Guide: How to Manage Domains in DigitalOcean

Now if you have already done that, you need to configure Nginx to properly handle your domain:

  1. SSH into your Droplet:

    ssh root@<your-droplet-ip>
    
  2. Create a new server block configuration file for your domain:

    nano /etc/nginx/sites-available/example.com
    
  3. Add the following configuration to the file:

    server {
        listen 80;
        server_name example.com www.example.com;
    
        location ~ /.well-known {
            allow all;
        }
    
        location / {
            proxy_pass https://localhost:8443;
            proxy_set_header Host $host:8443;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
    
    server {
        listen 9001;
        server_name example.com www.example.com;
    
        location ~ /.well-known {
            allow all;
        }
    
        location / {
            proxy_pass https://localhost:9000;
            proxy_set_header Host $host:9000;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
    
  4. Enable the server block by creating a symbolic link:

    ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
    
  5. Test Nginx and reload:

    nginx -t
    systemctl reload nginx
    

After that, the Keycloak Droplet comes with Certbot pre-installed, making it super easy to set up HTTPS:

  1. Run the Certbot command:

    certbot --nginx -d example.com -d www.example.com
    
  2. Follow the prompts to complete the certificate setup. Certbot will automatically update your Nginx configuration to redirect HTTP traffic to HTTPS.

  3. Test the setup by visiting https://example.com in your browser.


Then on the Keycloak side, you need to inspect the Keycloak container to find the exact environment variables that need to be set to match your domain:

docker inspect keycloak

Note down the environment variables starting with KC_ and KEYCLOAK_ and mainly the KEYCLOAK_ADMIN_PASSWORD, KC_DB_PASSWORD and the YOUR_KEYSTORE_PASSWORD.

Then stop the container:

docker stop keycloak

Then you can create a new Keycloak container and pass the domain as an environment variable:

docker run -d \
  --name keycloak-domain \
  --network host \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=<YOUR_ADMIN_PASSWORD> \
  -e KC_HOSTNAME=example.com \
  -e KC_HOSTNAME_STRICT=true \
  -e KC_HOSTNAME_STRICT_HTTPS=true \
  -e KC_DB=postgres \
  -e KC_DB_URL=jdbc:postgresql://localhost:5432/keycloak \
  -e KC_DB_USERNAME=keycloak \
  -e KC_DB_PASSWORD=<YOUR_DB_PASSWORD> \
  local-keycloak \
  start \
  --https-key-store-password=<YOUR_KEYSTORE_PASSWORD> \
  --optimized

Here is an example of this running on my Droplet:

Let me know how it goes.

- Bobby

I got it running by creating a new docker container with this command

docker run -d \
  --name keycloak-domain \
  --network host \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=<Your_Password> \
  -e KC_HOSTNAME=<Your_TLD> \
  -e KC_HTTP_ENABLED=true \
  -e HTTP_ADDRESS_FORWARDING=true \
  -e KC_DB=postgres \
  -e KC_DB_URL=jdbc:postgresql://localhost:5432/keycloak \
  -e KC_DB_USERNAME=keycloak \
  -e KC_DB_PASSWORD=<Your_DB_Password> \
  -e KC_PROXY_HEADERS=xforwarded \
  local-keycloak \
  start \
  --https-key-store-password=<Your_Key_Store_Password> \
  --optimized >> /var/temp.log

Also the nginx setup was wrong. This guide was actually the solution.

https://du.nkel.dev/blog/2024-02-10_keycloak-docker-compose-nginx/

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.