For now, it's up, I'll come back to this... work around is for now:
$ dokku apps:destroy keycloak --force
Then push out to deploy again. All data is stored host side on a persistent volume.
OK, so in order to get a fresh install working I ran dokku apps:destroy keycloak and then a new build worked just fine! Then testing that, on pushing out to Gitea/Drone for a deploy, I got another failure with the same error as above (see https://drone.autonomic.zone/autonomic-cooperative/keycloak/8/1/3). So, it seems like additional deployments will fail without wiping out the app...
It may be something to do with this log:
remote: 11:46:08,398 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-1) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
Perhaps the second keycloak is generating a cert that is only valid for localhost but the app already has the LE certs mounted into the storage. This might be it...
remote: curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
remote: ! Check attempt 3/5 failed.
remote: Attempt 4/5. Waiting for 30 seconds ...