The only thing I can think of is the JWKs URL is on port 13034, and AM believes it runs on port 443. In an OAuth 2.0 token AM will send the issuer value as https://am.hello.com (may be with the port :443), but the JWK URL is on the public port which could be rejected. This can happen also when AM is behind a firewall/load balancer. In this case you can override the issuer value in the configuration.
Now that you have AM up and running, have you observed something wrong?
NB: Out of curiosity, your jar file openam-configurator-tool.jar was it inside the container, or outside. If it was inside, I would expect that it would resolve the FQDN locally, and therefore it would find it on port 443.