unable to start mercure due to key parsing issues

[Noramarth]

I am using a docker compose environment (too big to paste here).
I am creating the private/public keys using symfony + lexik jwt generator to output public and private .pem(s)
then in the same container I am using this entrypoint to convert them to what is supposed to be mercure unencrypted format:

openssl rsa -in /app/config/jwt/private.pem -passin env:JWT_PASSPHRASE -out /app/config/jwt/private_mercure.pem
openssl rsa -in /app/config/jwt/private_mercure.pem -pubout -RSAPublicKey_out -out /app/config/jwt/public_mercure.pub
chmod 644 /app/config/jwt/public_mercure.pub
chmod 644 /app/config/jwt/private_mercure.pem

(I ended up decrypting the private key as I found multiple posts online saying that encrypted private keys do not work)

Then the newly created keys are then mounted into the mercure container like this (pasting the whole composer service for clarity):

mercure:
  container_name: "mercure"
  image: dunglas/mercure
  restart: unless-stopped
  ports:
    - "9091:80"
  healthcheck:
    test: ["CMD", "wget", "-q", "--spider", "https://localhost/healthz"]
    timeout: 5s
    retries: 5
    start_period: 60s
  depends_on:
    - authentication
  volumes:
    - ./api/authentication/config/jwt/private_mercure.pem:/etc/mercure/secrets/private.pem:ro
    - ./api/authentication/config/jwt/public_mercure.pub:/etc/mercure/secrets/public.pub:ro
    - ./configs/local/backend/entrypoints/mercure:/app/entrypoint:ro
  entrypoint: /app/entrypoint
  environment:
    MERCURE_PUBLISHER_JWT_ALG: RS256
    MERCURE_SUBSCRIBER_JWT_ALG: RS256

Of course these need to be converted
so in the mercure service entrypoint I now have:

#!/bin/sh

MERCURE_PUBLISHER_JWT_KEY="$(cat /etc/mercure/secrets/private.pem)"
MERCURE_SUBSCRIBER_JWT_KEY="$(cat /etc/mercure/secrets/public.pub)"
export MERCURE_PUBLISHER_JWT_KEY
export MERCURE_SUBSCRIBER_JWT_KEY

printenv

exec /usr/bin/caddy run --config /etc/caddy/dev.Caddyfile

I've been bashing my brains with trial and error for over 2 days now but no matter what happens I end up bashing my head against the same wall:

HOSTNAME=ae3c15e2f80f
SHLVL=1
HOME=/root
MERCURE_SUBSCRIBER_JWT_KEY=-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqytdZJKh1MIS3eDL9QIWoLimdfDyHmqLAtH3dv/UO1cY5kYJfUAG
m7wBeHCCbnrBdqeZzsGxe8YloWz85D/h35No6a+KV4MU5LP7Zj0GNXNuXQV3C9EO
v8NriYXXVU81RCCYq9g3zWh3x2vdqjnNKFgP9NXldaS9gPnHnDuPaBeawqZWn7rc
UKDp0r/QWvaYH1GZjzEjYgwd82GtRLQ+xjmTH+zz6bFyWFTHT3r8wcqRNFquqBKs
mqM/vRYGYkPta47/DIWpJfpyhWLgWAr1x0lUWP7BmUlMw0szxuoOvRd55sul1GNF
7L8I4+9WEUAZw2Euiqhq46SKNsh0S6IDtQIDAQAB
-----END RSA PUBLIC KEY-----
CADDY_VERSION=v2.10.0
MERCURE_PUBLISHER_JWT_KEY=-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrK11kkqHUwhLd
4Mv1AhaguKZ18PIeaosC0fd2/9Q7VxjmRgl9QAabvAF4cIJuesF2p5nOwbF7xiWh
bPzkP+Hfk2jpr4pXgxTks/tmPQY1c25dBXcL0Q6/w2uJhddVTzVEIJir2DfNaHfH
a92qOc0oWA/01eV1pL2A+cecO49oF5rCplafutxQoOnSv9Ba9pgfUZmPMSNiDB3z
Ya1EtD7GOZMf7PPpsXJYVMdPevzBypE0Wq6oEqyaoz+9FgZiQ+1rjv8Mhakl+nKF
YuBYCvXHSVRY/sGZSUzDSzPG6g69F3nmy6XUY0Xsvwjj71YRQBnDYS6KqGrjpIo2
yHRLogO1AgMBAAECggEAQCxVat/oqWYLgcEGZnieeCpSSlSHyayDKo8CuswmSwsX
7Dlk1F79O0TsvjVcSURfpPcoHJKU0oVS1WcRlxd2PQa8piQody/PVQE/ZzDI06BP
x7NFUxpRb8a52gjiVvsHyt93rbG2Fh4tDgicRfY+uvntHYtV6FnXrHO5CRNxbAIU
ZhOBLmIbWnI5xFb32I9StBo/96T0kl/aqLkUqa7zsxDxodApM6iYTbqKax5Cqnfn
CINHi29HQ1WvVoN+I0K9oCgYSCFBxLbxJBE1VaS36MNYjs5c+6A6cCjySApLkbKO
94eY7BqCke17kWPSULgcYn4p6bkprxH/pGaPX7jdzwKBgQDa8WGrtAcQHc08Rrjz
aFhQrNlZ36PcyP70ZbEyikGm2L9G6j3E5YLdVbpE6dGtanbom7AMYxZHBTE+K4Uq
Eq8bCOqtr6M80XozYrthY5bWmCxGDERa0AVnnjERiP1hVf60N7dhkyx/IqPLzX+J
B6asdO9ZKqG3Yvx8dnSn4JuUDwKBgQDII/7/k4Sk3cPtaNg4cnPRpUCdpTeOcZ8Z
0z/TPtCJn0bEupID+N0kcfVN34/RH3xG60veBSvhHDiIe26181/c/Ns7VwX7+M5u
qq+xBQzudwnUV6s9JZNJhdFQ5KIGKt5QkCJShX7edPY4T9YNA9KgTmxepYZ7EiKR
iXrIlg2X+wKBgCFA/Fa590CpZhy7mSfPN2q5diHCZ/8GwEKal3lXqnUPAq5gsZUQ
TvoTJUGGSgSO4RSfYPPgsOeEkGAi+AzV3aa7iflrbd2061yWqGM4Xxak8kSJZHBu
nAOK8WT6a5G3IAJ7W+0ED4QX3Mz9n1tOwC/9asUeRoW2ESdOTpWY9chdAoGALn0m
A0nJ2t3kX+Ylq17yhjUDgFrbP8wmr8IBJlmF6SHFN3c66Y9KFugdmdwfNO1CWdrY
AZdj7OM4QoOhYMRKdTOK3QrGyhOuJ8igDNdmfJHMB7Xhgc+TmdVqnIavGA2nHEGO
p2p44MV8V/I7f0RvDWuKAqYiSb4Zp4KusZ8hQzcCgYEAgv93dKh6Cl/s4bBoa7ot
3igSObDFomhT+4TFATadFlGixoL57q7I8RCqM7t2KnobSw8z+k/l1brGyyC4jlvZ
k1PeL2HhJwBDXb2rhN8P5k006lxRfdYjF5EpgUL3jrsdoqDiNalula5Fzgxes07q
n6wd0T0tykS0lt6/Nw5AOpo=
-----END PRIVATE KEY-----
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MERCURE_SUBSCRIBER_JWT_ALG=RS256
XDG_CONFIG_HOME=/config
XDG_DATA_HOME=/data
MERCURE_PUBLISHER_JWT_ALG=RS256
PWD=/srv
{"level":"info","ts":1754642270.88537,"msg":"maxprocs: Leaving GOMAXPROCS=16: CPU quota undefined"}
{"level":"info","ts":1754642270.8854728,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":30124822118,"previous":9223372036854775807}
{"level":"info","ts":1754642270.8855019,"msg":"using config from file","file":"/etc/caddy/dev.Caddyfile"}
{"level":"info","ts":1754642270.8860676,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1754642270.8860726,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/dev.Caddyfile","line":6}
{"level":"info","ts":1754642270.8866968,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1754642270.8869183,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1754642270.8869298,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1754642270.8869781,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00070c680"}
{"level":"info","ts":1754642270.8873785,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00070c680"}
{"level":"info","ts":1754642270.8874,"msg":"maxprocs: No GOMAXPROCS change to reset"}
Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 1: loading handler modules: position 1: loading module 'mercure': provision http.handlers.mercure: unable to parse RSA public key: asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:13 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} int @5

I am going bonkers so if someone can please help???

P,S. setting up a custom Caddyfile and loading the files directly ends up in the exact same thing, so I went back to "basics" and went with everything to defaults and tried to respect the configs in the documentation to the letter

[dunglas]

Could you please show your Caddyfile?

[Noramarth]

It's simply the default one coming with the dunglas/mercure image. No changes or overrides

# Learn how to configure the Mercure.rocks Hub on https://mercure.rocks/docs/hub/config
{
	{$GLOBAL_OPTIONS}
}

{$CADDY_EXTRA_CONFIG}

{$SERVER_NAME:localhost} {
	log {
		format filter {
			fields {
				request>uri query {
					replace authorization REDACTED
				}
			}
		}
	}

	encode zstd gzip

	mercure {
		# Publisher JWT key
		publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
		# Subscriber JWT key
		subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
		# Permissive configuration for the development environment
		cors_origins *
		publish_origins *
		demo
		anonymous
		subscriptions
		# Extra directives
		{$MERCURE_EXTRA_DIRECTIVES}
	}

	{$CADDY_SERVER_EXTRA_DIRECTIVES}

	redir / /.well-known/mercure/ui/

	respond /healthz 200
	respond /robots.txt `User-agent: *
	Disallow: /`
	respond "Not Found" 404
}