“Cannot set quarkus.http.insecure-requests without enabling SSL”
First time startup after editing keycloak.conf for customization:
# Basic settings for running in production. Change accordingly before deploying the server.
# Database
# The database vendor.
db=postgres
# The username of the database user.
db-username=keycloak
# The password of the database user.
db-password=@@@
# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
db-url=jdbc:postgresql://localhost/keycloak
# Observability
# If the server should expose healthcheck endpoints.
#health-enabled=true
# If the server should expose metrics endpoints.
#metrics-enabled=true
# HTTP
# The file path to a server certificate or certificate chain in PEM format.
#https-certificate-file=${kc.home.dir}conf/server.crt.pem
https-certificate-file=/home/flyslinger2/PKI/KeyCloak.crt
# The file path to a private key in PEM format.
#https-certificate-key-file=${kc.home.dir}conf/server.key.pem
https-certificate-file=/home/flyslinger2/PKI/local.key
# The proxy address forwarding mode if the server is behind a reverse proxy.
#proxy=reencrypt
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
#spi-sticky-session-encoder-infinispan-should-attach-route=false
# Hostname for the Keycloak server.
#hostname=myhostname
hostname=KeyCloak-Ubuntu
=================================================================
This is in a test environment so no impact to production units.
Appreciate any insight offered.
I have exactly the same error after migrating from 23 to 25 and first startup with the following config
root@keycl1:/opt/keycloak/bin# sudo -u keycloak ./kc.sh show-config
Current Mode: production
Current Configuration:
kc.config.built = true (SysPropConfigSource)
kc.db = postgres (keycloak.conf)
kc.db-password = ******* (keycloak.conf)
kc.db-url = jdbc:postgresql://10.10.10.18/keycloak (keycloak.conf)
kc.db-username = keycloak (keycloak.conf)
kc.features = persistent-user-sessions (keycloak.conf)
kc.hostname = https://xxx.xxx.xxx (keycloak.conf)
kc.http-enabled = true (keycloak.conf)
kc.log = console,file (keycloak.conf)
kc.log-console-output = default (classpath keycloak.conf)
kc.log-file = /var/log/keycloak/keycloak.log (keycloak.conf)
kc.optimized = true (Persisted)
kc.proxy-headers = xforwarded (keycloak.conf)
kc.spi-hostname-v2-hostname = https://xxx.xxxx.xx (keycloak.conf)
kc.spi-x509cert-lookup-haproxy-certificate-chain-length = 10 (keycloak.conf)
kc.spi-x509cert-lookup-haproxy-ssl-cert-chain-prefix = CERT_CHAIN (keycloak.conf)
kc.spi-x509cert-lookup-haproxy-ssl-client-cert = SSL_CLIENT_CERT (keycloak.conf)
kc.spi-x509cert-lookup-provider = haproxy (keycloak.conf)
kc.version = 25.0.0 (SysPropConfigSource)
Any ideas?
I also do not understand the error message itself: “Cannot set quarkus.http.insecure-requests without enabling SSL” With a reverse proxy the ssl connections ends at the haproxy service. The internal connection between haproxy and keycloak is unencrypted and uses an internal VPC. This was the working solution in keycloak 23 amd it should also be possible in 25.
OK, a few minutes later and 25 is running finally 
. I missed a “=” for the proxy-headers property. For reference, this is my current config:
Current Configuration:
kc.config.built = true (SysPropConfigSource)
kc.db = postgres (keycloak.conf)
kc.db-password = ******* (keycloak.conf)
kc.db-url = jdbc:postgresql://10.10.10.18/keycloak (keycloak.conf)
kc.db-username = keycloak (keycloak.conf)
kc.features = persistent-user-sessions (keycloak.conf)
kc.hostname = https://xx.xxx.xx (keycloak.conf)
kc.http-enabled = true (keycloak.conf)
kc.log = console,file (keycloak.conf)
kc.log-console-output = default (classpath keycloak.conf)
kc.log-file = /var/log/keycloak/keycloak.log (keycloak.conf)
kc.optimized = true (Persisted)
kc.proxy-headers = xforwarded (keycloak.conf)
kc.spi-hostname-v2-hostname = https://xxxx.xxxx.xx (keycloak.conf)
kc.spi-x509cert-lookup-haproxy-certificate-chain-length = 10 (keycloak.conf)
kc.spi-x509cert-lookup-haproxy-ssl-cert-chain-prefix = CERT_CHAIN (keycloak.conf)
kc.spi-x509cert-lookup-haproxy-ssl-client-cert = SSL_CLIENT_CERT (keycloak.conf)
kc.spi-x509cert-lookup-provider = haproxy (keycloak.conf)
kc.version = 25.0.0 (SysPropConfigSource)