CACHE_TLS_SERVER key and cert used for JWKS endpoint?

[andoks]

I have an issue, where I am setting up rauthy behind a tls-terminating reverse-proxy, and rauthy's jwks endpoint is primarily used inside a virtual network, so I decided that rauthy itself does not need to encrypt any network connections.

However I discovered that another service (running within the same virtual network) refuses to connect to JWKS endpoints through plain HTTP. Therefore I needed to setup rauthy to serve the jwks endpoint over https (in addition to http) using a self-signed key and cert.

From https://sebadob.github.io/rauthy/config/tls.html?highlight=certificate#config I thought I needed to set the server certificates, but this didn't seem to affect the JWKS endpoint. But when I overwrite the /app/tls/cert-chain.pem and /app/tls/key.pem with said self-signed keypair, it seems to work. Is this as expected? I might have gotten the wrong impression that the "cache" here was the distributed HA cache only from reference config:

#####################################
############## CACHE ################
#####################################

# If the cache should start in HA mode or standalone
# accepts 'true|false', defaults to 'false'
#HA_MODE=false

[sebadob]

However I discovered that another service (running within the same virtual network) refuses to connect to JWKS endpoints through plain HTTP. Therefore I needed to setup rauthy to serve the jwks endpoint over https (in addition to http) using a self-signed key and cert.

That makes sense, since the RFC suggests that clients should never fetch the public keys via plain HTTP for good reason.

From https://sebadob.github.io/rauthy/config/tls.html?highlight=certificate#config I thought I needed to set the server certificates, but this didn't seem to affect the JWKS endpoint.

The Cache TLS is independent from the TLS_KEY and TLS_CERT, which are used for the public API only. But, these values are ignored when the LISTEN_SCHEME is set to http only. This must be either https or http_https, which should spawn 2 servers.

[andoks]

The Cache TLS is independent from the TLS_KEY and TLS_CERT, which are used for the public API only. But, these values are ignored when the LISTEN_SCHEME is set to http only. This must be either https or http_https, which should spawn 2 servers.

Thanks, that was what I thought too, and makes sense. What I was wondering about though, was if there possibly was a bug where the JWKS endpoint was encrypted with the CACHE_TLS_SERVER_CERT and CACHE_TLS_SERVER_KEY instead of the TLS_KEY and TLS_CERT keypair. But it seems I must have done something else wrong, as when I double-checked it now, it indeed seems to use TLS_KEY and TLS_CERT as expected.

Thanks for the awesome software 🙂