DigitalOcean

Question

How to setup domain and SSL for the keycloak droplet?

I tried to follow the tutorial on this page https://docs.digitalocean.com/products/marketplace/catalog/keycloak/ but i don’t manage that the keycloak admin url is running with a valid SSL certificate + it always redirects the domain to the IP address. How to solve that? And sorry, it’s my first experience with DigitalOcean + Keycloak.

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

zloy88November 30, 2024

I got it running by creating a new docker container with this command

docker run -d \
  --name keycloak-domain \
  --network host \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=<Your_Password> \
  -e KC_HOSTNAME=<Your_TLD> \
  -e KC_HTTP_ENABLED=true \
  -e HTTP_ADDRESS_FORWARDING=true \
  -e KC_DB=postgres \
  -e KC_DB_URL=jdbc:postgresql://localhost:5432/keycloak \
  -e KC_DB_USERNAME=keycloak \
  -e KC_DB_PASSWORD=<Your_DB_Password> \
  -e KC_PROXY_HEADERS=xforwarded \
  local-keycloak \
  start \
  --https-key-store-password=<Your_Key_Store_Password> \
  --optimized >> /var/temp.log

Also the nginx setup was wrong. This guide was actually the solution.

https://du.nkel.dev/blog/2024-02-10_keycloak-docker-compose-nginx/

Bobby Iliev
Site Moderator
Site Moderator badge
November 26, 2024

Hey there! 👋

The DigitalOcean KeyCloak Droplet uses the official Docker image, you can check out the documentation here:

https://www.keycloak.org/getting-started/getting-started-docker

The overall process, should look as follows: Before you run the certbot command you need to make sure your domain points to your Droplet’s IP address:

  • Add an A record in your DNS settings pointing your domain (e.g., example.com) to your Droplet’s public IP.
  • If you’re using DigitalOcean to manage your DNS, it should look like this:
Hostname Type Value
@ (or blank) A Your Droplet’s IP
www CNAME example.com

👉 Guide: How to Manage Domains in DigitalOcean

Now if you have already done that, you need to configure Nginx to properly handle your domain:

  1. SSH into your Droplet:

    ssh root@<your-droplet-ip>

  2. Create a new server block configuration file for your domain:

    nano /etc/nginx/sites-available/example.com

  3. Add the following configuration to the file:

    server {
    listen 80;
    server_name example.com www.example.com;

    location ~ /.well-known {
        allow all;
    }

    location / {
        proxy_pass https://localhost:8443;
        proxy_set_header Host $host:8443;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 9001;
    server_name example.com www.example.com;

    location ~ /.well-known {
        allow all;
    }

    location / {
        proxy_pass https://localhost:9000;
        proxy_set_header Host $host:9000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

  4. Enable the server block by creating a symbolic link:

    ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

  5. Test Nginx and reload:

    nginx -t
systemctl reload nginx

After that, the Keycloak Droplet comes with Certbot pre-installed, making it super easy to set up HTTPS:

  1. Run the Certbot command:

    certbot --nginx -d example.com -d www.example.com

  2. Follow the prompts to complete the certificate setup. Certbot will automatically update your Nginx configuration to redirect HTTP traffic to HTTPS.

  3. Test the setup by visiting https://example.com in your browser.

Then on the Keycloak side, you need to inspect the Keycloak container to find the exact environment variables that need to be set to match your domain:

docker inspect keycloak

Note down the environment variables starting with KC_ and KEYCLOAK_ and mainly the KEYCLOAK_ADMIN_PASSWORD, KC_DB_PASSWORD and the YOUR_KEYSTORE_PASSWORD.

Then stop the container:

docker stop keycloak

Then you can create a new Keycloak container and pass the domain as an environment variable:

docker run -d \
  --name keycloak-domain \
  --network host \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=<YOUR_ADMIN_PASSWORD> \
  -e KC_HOSTNAME=example.com \
  -e KC_HOSTNAME_STRICT=true \
  -e KC_HOSTNAME_STRICT_HTTPS=true \
  -e KC_DB=postgres \
  -e KC_DB_URL=jdbc:postgresql://localhost:5432/keycloak \
  -e KC_DB_USERNAME=keycloak \
  -e KC_DB_PASSWORD=<YOUR_DB_PASSWORD> \
  local-keycloak \
  start \
  --https-key-store-password=<YOUR_KEYSTORE_PASSWORD> \
  --optimized

Here is an example of this running on my Droplet:

Let me know how it goes.

- Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2024 DigitalOcean, LLC.Sitemap.