Skip to content

JWKS endpoint returns HTTP Error 500

Summary

When trying to connect a self-hosted Vault instance to a self-hosted GitLab both running on AWS EKS the endpoint https://gitlab-domain/-/jwks returns HTTP Error 500

Steps to reproduce

Install GitLab with helm charts on Kubernetes an access the URL https://gitlab-domain/-/jwks

Current behavior

HTTP Error 500 is thrown

Expected behavior

Seeing the JSON Web Key Set

Versions

  • Chart: Original installation was 14.4.1, now running 15.0.1
  • Platform:
    • Cloud: EKS
  • Kubernetes: (kubectl version)
    • Client: 1.21
    • Server: 1.21
  • Helm: (helm version)
    • Client: 3.6

Relevant logs

From the gitlab-webservice-default pod:

Completed 500 Internal Server Error
  
OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key: nested asn1 error):

Fixes

I had to reformat openid_connect_signing_key and ci_jwt_signing_key and reinsert them into the gitlab-rails-secret. They are originally saved in a string format that is not parseable by OpenSSL. Once generated in 14.4.1 the gitlab-rails-secret seems to be moved forward through updates and resulted in the above error even in version 15.0.1.