Credentials are invalid

After pulling down latest changes to our production system I am getting the error below. I have changed the password in docker-compose.yml from -secret to the latest admin password we were using but this did not work.

Any advice how I can resolve this appreciated.

manager-1 | 2024-09-15 04:25:20.187 INFO [main ] curity.keycloak.KeycloakIdentityProvider : Validating keycloak credentials
keycloak-1 | 2024-09-15 04:25:20,376 WARN [org.keycloak.events] (executor-thread-1) type=“LOGIN_ERROR”, realmId=“f2bf21bd-5d61-4689-b9f9-99e1ca33915d”, clientId=“admin-cli”, userId=“d7dfcd18-55f3-4c3d-a1ab-5b8c91e6af60”, ipAddress=“172.19.0.4”, error=“invalid_user_credentials”, auth_method=“openid-connect”, grant_type=“password”, client_auth_method=“client-secret”, username=“admin”
manager-1 | 2024-09-15 04:25:20.388 INFO [main ] curity.keycloak.KeycloakIdentityProvider : Credentials are invalid
manager-1 | 2024-09-15 04:25:20.389 WARNING [main ] curity.keycloak.KeycloakIdentityProvider : Credentials don’t work so cannot continue
manager-1 | 2024-09-15 04:25:20.390 SEVERE [main ] org.openremote.container.Container : >>> Runtime container startup failed
manager-1 | java.lang.RuntimeException: Credentials don’t work so cannot continue
manager-1 | at org.openremote.container.security.keycloak.KeycloakIdentityProvider.start(KeycloakIdentityProvider.java:242)
manager-1 | at org.openremote.manager.security.ManagerKeycloakIdentityProvider.start(ManagerKeycloakIdentityProvider.java:137)
manager-1 | at org.openremote.container.security.IdentityService.start(IdentityService.java:62)
manager-1 | at org.openremote.container.Container.start(Container.java:167)
manager-1 | at org.openremote.container.Container.startBackground(Container.java:211)
manager-1 | at org.openremote.manager.Main.main(Main.java:31)
dependency failed to start: container ubuntu-manager-1 is unhealthy

Hi all,

After some troubleshooting, I’ve managed to log back into the system. I’m not entirely sure what fixed the issue, but I deleted everything (images, containers, etc.), re-installed Docker, restored the database and added the admin password variables (KEYCLOAK_ADMIN_PASSWORD and OR_ADMIN_PASSWORD) to the docker-compose.yml. However, during this process, the domain certificate hit the Let’s Encrypt limit, but I believe this should resolve itself after some time.

The main issue I’m facing now is that whenever I pull down changes, it seems there’s a disconnect between the Keycloak password and what we’ve set in our version. I suspect I’m not going about this the right way and would appreciate any advice on the correct approach to handle updates and password management in OpenRemote.

Thanks for any guidance!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

The only docker volume you should delete when redeploying is the deployment-data volume (if you have changed any files in your custom deployment image).

If you do want a full clean install I would still recommend leaving the proxy-data volume to avoid lets encrypt issues.

During first startup the manager creates a service user in keycloak to allow communication from the manager to keycloak, it uses the admin username and OR_ADMIN_PASSWORD to authenticate with keycloak to create this user. This means that you can then change the admin user password in the UI and on container restart the manager will still be able to communicate with keycloak (i.e. the OR_ADMIN_PASSWORD environment no longer matches the actual admin password but the manager has its’ own credentials now so it still works).

The credentials for this service user are stored in a file in the OR_STORAGE_DIR which is typically mapped to a docker volume.

During startup if the credentials file exists the manager will try and authenticate with keycloak using those credentials, if that fails or the file doesn’t exist the manager will trying authenticating as the admin user with OR_ADMIN_PASSWORD as the password. If this then fails then startup will fail.