Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

26.2.0 fail to start

302 views
Skip to first unread message

A. Schulze

unread,
Apr 12, 2025, 12:14:45 PMApr 12
to Keycloak User
Hello,

26.1.5 runs well, but 26.2.0 fail with this message:

+ exec /usr/bin/setpriv --reuid keycloak --regid root --clear-groups /opt/keycloak/bin/kc.sh start --optimized
INFO [org.keycloak.common.Profile] (main) Preview features enabled: recovery-codes:v1
INFO [org.keycloak.common.Profile] (main) Preview features enabled: recovery-codes:v1
WARN [io.agroal.pool] (agroal-11) Datasource '<default>': Wrong user name or password [28000-230]
WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (JPA Startup Thread) SQL Error: 28000, SQLState: 28000
ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (JPA Startup Thread) Wrong user name or password [28000-230]
WARN [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread) HHH000342: Could not obtain connection to query metadata: org.hibernate.exception.GenericJDBCException: unable to obtain isolated JDBC connection [Wrong user name or password [28000-230]] [n/a]
at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:63)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:108)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:94)
at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doTheWork(JtaIsolationDelegate.java:206)
at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.lambda$delegateWork$3(JtaIsolationDelegate.java:91)
at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doInSuspendedTransaction(JtaIsolationDelegate.java:125)
at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.delegateWork(JtaIsolationDelegate.java:88)
at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.getJdbcEnvironmentUsingJdbcMetadata(JdbcEnvironmentInitiator.java:320)
at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:129)
at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:81)
at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:130)
at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263)
at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:238)
at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
at org.hibernate.service.ServiceRegistry.requireService(ServiceRegistry.java:68)
at org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcServicesImpl.java:52)
at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.configureService(StandardServiceRegistryImpl.java:136)
at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:247)
at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
at org.hibernate.service.ServiceRegistry.requireService(ServiceRegistry.java:68)
at org.hibernate.boot.internal.SessionFactoryOptionsBuilder.<init>(SessionFactoryOptionsBuilder.java:290)
at io.quarkus.hibernate.orm.runtime.recording.PrevalidatedQuarkusMetadata.buildSessionFactoryOptionsBuilder(PrevalidatedQuarkusMetadata.java:72)
at io.quarkus.hibernate.orm.runtime.boot.FastBootEntityManagerFactoryBuilder.build(FastBootEntityManagerFactoryBuilder.java:84)
at io.quarkus.hibernate.orm.runtime.FastBootHibernatePersistenceProvider.createEntityManagerFactory(FastBootHibernatePersistenceProvider.java:72)
at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:80)
at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:55)
at io.quarkus.hibernate.orm.runtime.JPAConfig$LazyPersistenceUnit.get(JPAConfig.java:163)
at io.quarkus.hibernate.orm.runtime.JPAConfig$1.run(JPAConfig.java:63)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.h2.jdbc.JdbcSQLInvalidAuthorizationSpecException: Wrong user name or password [28000-230]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:522)
at org.h2.message.DbException.getJdbcSQLException(DbException.java:489)
at org.h2.message.DbException.get(DbException.java:223)
at org.h2.message.DbException.get(DbException.java:199)
at org.h2.message.DbException.get(DbException.java:188)
at org.h2.engine.Engine.validateUserAndPassword(Engine.java:396)
at org.h2.engine.Engine.createSession(Engine.java:206)
at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:344)
at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:124)
at org.h2.Driver.connect(Driver.java:59)
at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:225)
at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:580)
at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:561)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:75)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1134)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
... 1 more

WARN [io.agroal.pool] (agroal-11) Datasource '<default>': Wrong user name or password [28000-230]
INFO [com.arjuna.ats.jbossatx] (main) ARJUNA032014: Stopping transaction recovery manager
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Wrong user name or password [28000-230]
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

+ exec /usr/bin/setpriv --reuid keycloak --regid root --clear-groups /opt/keycloak/bin/kc.sh show-config
Current Mode: production
Current Configuration:
kc.health-enabled = true (Persisted)
kc.bootstrap-admin-password = ******* (ENV)
kc.log-level-org.infinispan.transaction.lookup.JBossStandaloneJTAManagerLookup = WARN (classpath application.properties)
kc.log-level-io.quarkus.config = off (classpath application.properties)
kc.hostname = https://login.example/ (ENV)
kc.https-protocols = TLSv1.3 (ENV)
kc.log-console-output = default (classpath application.properties)
kc.https-certificate-file = /cert/keycloak-cert.pem (ENV)
kc.https-port = 443 (ENV)
kc.fqdn = keycloak-service-address (ENV)
kc.cache-config-file = cache-local.xml (ENV)
kc.bootstrap-admin-username = ****** (ENV)
kc.db = dev-file (ENV)
kc.log-console-format = %p [%c] (%t) %s%e%n (ENV)
kc.log-level-io.quarkus.hibernate.orm.deployment.HibernateOrmProcessor = warn (classpath application.properties)
kc.optimized = true (Persisted)
kc.version = 26.2.0 (SysPropConfigSource)
kc.http-max-queued-requests = 10 (ENV)
kc.features = recovery-codes:v1,docker:v1 (Persisted)
kc.https-certificate-key-file = /cert/keycloak-key.pem (ENV)
kc.log-level-org.jboss.resteasy.resteasy_jaxrs.i18n = WARN (classpath application.properties)
kc.log-level-io.quarkus.arc.processor.BeanArchives = off (classpath application.properties)
kc.cache = local (ENV)
kc.log-level-io.quarkus.deployment.steps.ReflectiveHierarchyStep = error (classpath application.properties)
kc.log-level-io.quarkus.arc.processor.IndexClassLookupUtils = off (classpath application.properties)
kc.https-management-protocols = TLSv1.3 (ENV)
kc.provider.file.keycloak-ipaddress-authenticator-26.0.2_0-jar-with-dependencies.jar.last-modified = 1744391570000 (Persisted)
kc.features-disabled = ciba,client-policies,device-flow,impersonation,kerberos,organization,par,persistent-user-sessions,step-up-authentication,web-authn (Persisted)


It's a small setup, so kc.db=dev-file. That worked until 26.1.5. Also, https://github.com/evosec/keycloak-ipaddress-authenticator is used
No idea, if both matters. Any help is appreciated :-)

Andreas

A. Schulze

unread,
Apr 19, 2025, 7:57:19 AMApr 19
to keyclo...@googlegroups.com
Hi all,

nobody else saw this? No hints?

Andreas


Am 12.04.25 um 18:14 schrieb 'A. Schulze' via Keycloak User:

Emma Richardson

unread,
Apr 20, 2025, 7:36:26 AMApr 20
to Keycloak User
Well the error says wrong username or password - did you have to enter that somewhere?

daniel....@gmail.com

unread,
Apr 20, 2025, 8:38:06 AMApr 20
to Emma Richardson, Keycloak User
Hi,

are you using the dev-file DB from your previous instance for a new Keycloak version? Maybe this causes the trouble?
You could try a full import from the previous instance and import it into the new.
Or import it with the same version into a proper database and upgrade from there. Dev-file is not for production.

Am 20.04.2025 um 13:36 schrieb Emma Richardson <emm...@gmail.com>:

Well the error says wrong username or password - did you have to enter that somewhere?
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/daf90808-ed3c-4b87-9a40-ab6c070a5ff6n%40googlegroups.com.

A. Schulze

unread,
Apr 20, 2025, 3:55:35 PMApr 20
to keyclo...@googlegroups.com


Am 20.04.25 um 14:37 schrieb daniel....@gmail.com:
> You could try a full import from the previous instance and import it into the new.

Hello,

export + import solved my problem.
Thanks for your help!

Andreas

SIMULATAN

unread,
Apr 22, 2025, 2:27:16 AMApr 22
to Keycloak User
I am also facing this issue using a bare bones config - only the `KEYCLOAK_ADMIN` and `KEYCLOAK_ADMIN_PASSWORD` environment variables are set (see my docker-compose file).
26.1 is working just fine.

Thankfully, my application bootstraps the Realm programmatically using the API. Therefore the impact was minimal, despite the export I made before deleting the DB file failing to import due to a supposedly missing client...
Curious that such a breakage occurs in a "minor" release..

Alexander Schwartz

unread,
Apr 24, 2025, 2:32:04 AMApr 24
to Keycloak User
Dear Keycloak community,

this has been discussed in our issue tracker in issue https://github.com/keycloak/keycloak/issues/39046
See details there for a workaround. 

Best,
Alexander

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/752bc263-4684-492e-bcc4-c13106d94844n%40googlegroups.com.


--

Alexander Schwartz, RHCE

He/Him

Principal Software Engineer, Keycloak Maintainer

Red Hat - Germany remote

asch...@redhat.com   

Red Hat GmbH, Registered seat: Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany 
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross
Reply all
Reply to author
Forward
0 new messages