Hi sound familiar to me :-) guess you forgot to add  <socket-binding name="proxy-https" port="443"/> in <socket-binding-group name="standard-sockets" [...] in my standalone.xml at the very bottom. in your apache conf you need these lines:         RequestHeader set X-Forwarded-Proto "https"         RequestHeader set X-Forwarded-Port "443"         [...]         ProxyPass / http://localhost:[port]/ nocanon (nocanon solved a style loading issue for me) Hope it helps Martin On 17.11.2017 14:38, mj wrote: > Hi Stian, list, > > So, manually editing standalone.xml got me further, but not yet 100% > succes. :-) > > I edited standalone.xml by hand, and have things working on port 8080. > But we have been using keycloak 2.x / 3.x through apache2 reverse https > proxy, requiring the following config in standalone.xml: > >> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/> > However, keycloak 3.4 complains with this config: > >> 14:34:18,158 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=default' are not available: >> org.wildfly.network.socket-binding.proxy-https; Possible registration points for this capability: >> /socket-binding-group=*/socket-binding=* >> 14:34:18,161 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. >> 14:34:18,189 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) stopped in 6ms > Some advise would be appreciated, as we are not that experienced in > wildfly / java, etc. > > Or is there perhaps another (new?) way to have keycloak running on https > with an lets encrypt ssl certificate? > > Using the apache2 reverse proxy way has served us very well, the last years. > > Thanks! > MJ > > On 11/15/2017 09:26 AM, Stian Thorgersen wrote: >> That seems like it could be an issue caused by the fact that KC 3.3 was >> based on WildFly 11 Beta. You'll probably have to manually update the >> standalone file (or grab the one from 3.2 release if you still have that). >> >> On 14 November 2017 at 11:17, lists <lists(a)merit.unu.edu >> <mailto:lists@merit.unu.edu>> wrote: >> >> Hi, >> >> Today we tried to upgrade our standalone 3.3 install to 3.4, following >> the docs: >> >> - copied 3.3 /standalone/ over the 3.4 install, replacing all >> - copied mysql connector in modules/system/layers/keycloak/org >> >> But then, the standalone upgrade script doesn't work: >> >> > root@server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh >> --file=bin/migrate-standalone.cli >> > Cannot start embedded server: WFLYEMB0021: Cannot start embedded >> process: Operation failed: WFLYSRV0056: Server boot has failed in an >> unrecoverable manner; exiting. See previous messages for details. >> > root@server:/opt/keycloak-3.4.0.Final# >> >> When starting the 3.4 server without having run the upgrade script, we >> see what the actual problem appears to be: >> >> > OPVDX001: Validation error in standalone.xml >> ----------------------------------- >> > | >> > |  470:     </spi> >> > |  471: </subsystem> >> > |  472: <subsystem xmlns="urn:wildfly:elytron:1.2" >> final-providers="combined-providers" >> disallowed-providers="OracleUcrypto"> >> > |       ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem' >> > | >> > |  473:     <providers> >> > |  474:         <aggregate-providers name="combined-providers"> >> > |  475:             <providers name="elytron"/> >> > | >> > | The primary underlying error message was: >> > | > ParseError at [row,col]:[472,9] >> > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem' >> > | >> > >> |------------------------------------------------------------------------------- >> >> The same standalone.xml still works in the keycloak 3.3, so it basically >> seems to be ok, or not corrupt at least. This install has been upgraded >> from: >> 3.0 -> 3.1 -> 3.3 (we skipped 3.2) >> >> It seems that our config has to be migrated using the script, but the >> upgrade-standalone.cli script will not run... >> >> What to do? >> >> MJ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> <https://lists.jboss.org/mailman/listinfo/keycloak-user> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user