I’m currently in the process of restoring our OpenRemote deployment to a new AWS EC2 instance, following these steps:
- Pulled the latest OpenRemote code using the Quick Start guide
- Modified the
docker-compose.yml
to reflect the public IP address of the new instance. - Followed the
Backup/Restore OpenRemote DB
procedure from the [Developer Guide: Useful Commands and Queries
I also updated the following values in docker-compose.yml
to match the values used in the previous production system:
KEYCLOAK_ADMIN_PASSWORD
OR_ADMIN_PASSWORD
After restoring the database and starting the stack, the openremote-manager-1 container remains unhealthy and fails with the message:
‘dependency failed to start: container openremote-manager-1 is unhealthy’
I’d appreciate advice on the best practice for migrating OpenRemote to a new instance.
I have seen this error in the logs depending on the password settings in docker-compose.yml:
manager-1 | 2025-04-06 07:36:14.316 SEVERE [main ] org.openremote.container.Container : >>> Runtime container startup failed
manager-1 | java.io.IOException: Integrity check failed: java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
manager-1 | at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2162)
manager-1 | at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
manager-1 | at java.base/java.security.KeyStore.load(KeyStore.java:1500)
manager-1 | at java.base/java.security.KeyStore.getInstance(KeyStore.java:1828)
manager-1 | at java.base/java.security.KeyStore.getInstance(KeyStore.java:1709)
manager-1 | at org.openremote.manager.security.KeyStoreServiceImpl.start(KeyStoreServiceImpl.java:107)
manager-1 | at org.openremote.container.Container.start(Container.java:179)
manager-1 | at org.openremote.container.Container.startBackground(Container.java:223)
manager-1 | at org.openremote.manager.Main.main(Main.java:36)
manager-1 | Caused by: java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
manager-1 | at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineLoad$2(PKCS12KeyStore.java:2156)
manager-1 | at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
manager-1 | at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2140)
manager-1 | … 8 more
manager-1 exited with code 0
Here is my docker-compose.yml
:
OpenRemote v3
Profile that runs the stack by default on https://localhost using a self-signed SSL certificate,
but optionally on https://$OR_HOSTNAME with an auto generated SSL certificate from Letsencrypt.
It is configured to use the AWS logging driver.
volumes:
proxy-data:
manager-data:
postgresql-data:
services:
proxy:
image: openremote/proxy:${PROXY_VERSION:-latest}
restart: always
depends_on:
manager:
condition: service_healthy
ports:
- “80:80” # Needed for SSL generation using letsencrypt
- “${OR_SSL_PORT:-443}:443”
- “8883:8883”
- “127.0.0.1:8404:8404” # Localhost metrics access
volumes:
- proxy-data:/deployment
environment:
LE_EMAIL: ${OR_EMAIL_ADMIN:-}
DOMAINNAME: ${OR_HOSTNAME:-0.123.456.789}
DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
# USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
#HAPROXY_CONFIG: ‘/data/proxy/haproxy.cfg’
postgresql:
restart: always
image: openremote/postgresql:${POSTGRESQL_VERSION:-latest}
shm_size: 128mb
volumes:
- postgresql-data:/var/lib/postgresql/data
- manager-data:/storage
keycloak:
restart: always
image: openremote/keycloak:${KEYCLOAK_VERSION:-latest}
depends_on:
postgresql:
condition: service_healthy
volumes:
- ./deployment:/deployment
environment:
KEYCLOAK_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-password}
KC_HOSTNAME: ${OR_HOSTNAME:-0.123.456.789}
KC_HOSTNAME_PORT: ${OR_SSL_PORT:–1}
manager:
privileged: true
restart: always
image: openremote/manager:${MANAGER_VERSION:-latest}
depends_on:
keycloak:
condition: service_healthy
ports:
- “127.0.0.1:8405:8405” # Localhost metrics access
environment:
OR_SETUP_TYPE:
OR_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-password}
OR_SETUP_RUN_ON_RESTART:
OR_EMAIL_HOST:
OR_EMAIL_USER:
OR_EMAIL_PASSWORD:
OR_EMAIL_X_HEADERS:
OR_EMAIL_FROM:
OR_EMAIL_ADMIN:
OR_METRICS_ENABLED: ${OR_METRICS_ENABLED:-true}
OR_HOSTNAME: ${OR_HOSTNAME:-0.123.456.789}
OR_ADDITIONAL_HOSTNAMES:
OR_SSL_PORT: ${OR_SSL_PORT:–1}
OR_DEV_MODE: ${OR_DEV_MODE:-false}
# The following variables will configure the demo
OR_FORECAST_SOLAR_API_KEY:
OR_OPEN_WEATHER_API_APP_ID:
OR_SETUP_IMPORT_DEMO_AGENT_KNX:
OR_SETUP_IMPORT_DEMO_AGENT_VELBUS:
volumes:
- manager-data:/storage
- ./deployment:/deployment