[keycloak-user] email to reset password falied - keycloak 2.5.0

Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config <server name="default-server"> <ajp-listener name="mmemoeListener" socket-binding="ajp" redirect-socket="proxy-https" scheme="https" /> <http-listener name="default" socket-binding="http" redirect-socket="https"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="proxy-peer"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core" /> <response-header name="server-header" header-name="Server" header-value="WildFly/10"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> </filters> Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *> RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy> #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions/execute-acti... Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks.