Skip to content

[bitnami/keycloak] Fix Keycloak 26.5.0 startup failure with empty HTTPS env vars #89327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rblaine95 wants to merge 1 commit into from
Closed

[bitnami/keycloak] Fix Keycloak 26.5.0 startup failure with empty HTTPS env vars #89327

rblaine95 wants to merge 1 commit into from
+22 −0

Conversation

@rblaine95
Copy link

@rblaine95 rblaine95 commented Jan 7, 2026
edited
Loading

Keycloak 26.5.0 introduced stricter validation for configuration options. Empty string values are now rejected with the error:

Invalid empty value for option 'KC_HTTPS_CERTIFICATE_KEY_FILE'

The current keycloak-env.sh exports HTTPS-related environment variables with empty string defaults:

export KC_HTTPS_CERTIFICATE_KEY_FILE="${KC_HTTPS_CERTIFICATE_KEY_FILE:-}"

This causes Keycloak 26.5.0+ to fail on startup when TLS is disabled (common in edge-terminated reverse proxy setups).

This PR adds a loop to run.sh and setup.sh that unsets these environment variables if they are empty, after loading keycloak-env.sh:

for env_var in \
    "KC_HTTPS_TRUST_STORE_FILE" \
    "KC_HTTPS_TRUST_STORE_PASSWORD" \
    "KC_HTTPS_KEY_STORE_FILE" \
    "KC_HTTPS_KEY_STORE_PASSWORD" \
    "KC_HTTPS_CERTIFICATE_FILE" \
    "KC_HTTPS_CERTIFICATE_KEY_FILE"; do
    [[ -z "${!env_var:-}" ]] && unset "$env_var"
done

Affected variables:

  • KC_HTTPS_TRUST_STORE_FILE
  • KC_HTTPS_TRUST_STORE_PASSWORD
  • KC_HTTPS_KEY_STORE_FILE
  • KC_HTTPS_KEY_STORE_PASSWORD
  • KC_HTTPS_CERTIFICATE_FILE
  • KC_HTTPS_CERTIFICATE_KEY_FILE

Benefits

  • Fixes compatibility with Keycloak 26.5.0+
  • Allows users to run Keycloak behind edge-terminated reverse proxies (e.g., AWS ALB, nginx) without TLS configuration
  • No breaking changes for existing setups that use TLS - variables with values continue to work as before

Possible drawbacks

None identified. This change only affects the behavior when the variables are empty/unset, which was causing failures anyway in Keycloak 26.5.0+.

Applicable issues

Additional information

Tested with:

  • Keycloak 26.5.0 behind AWS ALB with edge-terminated TLS
  • Configuration:
    • KEYCLOAK_PRODUCTION=true
    • KC_HTTP_ENABLED=true
    • KC_PROXY_HEADERS=xforwarded
    • KEYCLOAK_ENABLE_HTTPS=false (default)

References:

Error before fix:

INFO  ==> ** keycloak setup finished! **
INFO  ==> ** Starting Keycloak **
Appending additional Java properties to JAVA_OPTS
Changes detected in configuration. Updating the server image.
Invalid empty value for option 'KC_HTTPS_CERTIFICATE_KEY_FILE'

@github-actions github-actions bot added keycloak triage Triage is needed labels Jan 7, 2026
@github-actions github-actions bot requested a review from carrodher January 7, 2026 12:13
@rblaine95 rblaine95 force-pushed the fix/keycloak-26.5-https-env-vars branch from b54c1b4 to fc8941c Compare January 7, 2026 12:18
@carrodher carrodher added verify Execute verification workflow for these changes in-progress labels Jan 7, 2026
@github-actions github-actions bot removed the triage Triage is needed label Jan 7, 2026
@github-actions github-actions bot removed the request for review from carrodher January 7, 2026 14:32
@github-actions github-actions bot requested a review from migruiz4 January 7, 2026 14:32
@carrodher carrodher requested review from juan131 and removed request for migruiz4 January 9, 2026 07:56
@carrodher carrodher assigned juan131 and unassigned migruiz4 Jan 9, 2026
juan131
juan131 requested changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@juan131 juan131 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for reporting this issue and suggesting this fix, we really appreciate it! Please check my comments.

@rblaine95 rblaine95 requested a review from juan131 January 9, 2026 11:55
@rblaine95 rblaine95 force-pushed the fix/keycloak-26.5-https-env-vars branch 3 times, most recently from e1c64d7 to 8972cee Compare January 9, 2026 11:59
@rblaine95
[bitnami/keycloak] Fix Keycloak 26.5.0 startup failure with empty HTT…
c482277 
…PS env vars

Keycloak 26.5.0 introduced stricter validation for configuration options,
rejecting empty string values with:

  Invalid empty value for option 'KC_HTTPS_CERTIFICATE_KEY_FILE'

This causes startup failures when TLS is disabled (common in edge-terminated
reverse proxy setups like AWS ALB or nginx).

Add a loop to unset empty HTTPS-related environment variables after loading
keycloak-env.sh in both run.sh and setup.sh scripts.

Affected variables:
- KC_HTTPS_TRUST_STORE_FILE
- KC_HTTPS_TRUST_STORE_PASSWORD
- KC_HTTPS_KEY_STORE_FILE
- KC_HTTPS_KEY_STORE_PASSWORD
- KC_HTTPS_CERTIFICATE_FILE
- KC_HTTPS_CERTIFICATE_KEY_FILE

Signed-off-by: Robbie Blaine <[email protected]>
@rblaine95 rblaine95 force-pushed the fix/keycloak-26.5-https-env-vars branch from 8972cee to c482277 Compare January 9, 2026 12:00
@rblaine95
Copy link
Author

rblaine95 commented Jan 9, 2026

Already done in #89381

@rblaine95 rblaine95 closed this Jan 9, 2026
@rblaine95 rblaine95 deleted the fix/keycloak-26.5-https-env-vars branch January 9, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juan131 juan131 Awaiting requested review from juan131

Assignees

@juan131 juan131

Labels

keycloak solved verify Execute verification workflow for these changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[bitnami/keycloak] Keycloak 26.5.0 fails to start with "Invalid empty value for option 'KC_HTTPS_CERTIFICATE_KEY_FILE'"

4 participants

@rblaine95 @juan131 @carrodher @migruiz4