Based on the provided knowledge sources, it appears that Ory Tunnel is primarily designed for local development and testing purposes, and it typically runs over HTTP. However, there are ways to use HTTPS with Ory Tunnel, although it may require some additional configuration. For local development, Ory Tunnel can be run using self-signed TLS certificates. Here's how you can set it up: 1. Generate self-signed TLS certificates:

openssl genrsa -out key.pem 4096 openssl req -new -x509 -sha256 -key key.pem -out cert.crt -days 365

2. Use these certificates when running Ory Tunnel:

SERVE_TLS_CERT_BASE64=$(base64 -i cert.crt) SERVE_TLS_KEY_BASE64=$(base64 -i key.pem)  npx @ory/cli tunnel --dev <https://localhost:8080> \     -e SERVE_TLS_CERT_BASE64="$SERVE_TLS_CERT_BASE64" \     -e SERVE_TLS_KEY_BASE64="$SERVE_TLS_KEY_BASE64"

It's important to note that using self-signed certificates will likely result in browser warnings, as mentioned in the [Hydra Self-hosted Configuration guide](https://www.ory.sh/docs/hydra/self-hosted/configure-deploy#perform-oauth-20-flow). For production use, it's recommended not to use Ory Tunnel. Instead, you should set up a custom domain for your Ory Network project and use proper SSL/TLS certificates. This approach is described in the [Go to production](https://www.ory.sh/docs/getting-started/integrate-auth/expressjs#go-to-production) section of various integration guides. Remember that Ory Tunnel is primarily a development tool, as stated in the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel): "The Ory Tunnel is designed for development purposes only and should not be used in production environments." If you're experiencing specific issues with setting up HTTPS for Ory Tunnel, you might need to provide more details about your setup and the exact error messages you're encountering.

@chilly-king-10285 thanks! I ran the command in step 2 but i'm getting this error:

unknown shorthand flag: 'e' in -e

. do you know how to get past it?

I apologize for the confusion in my previous response. The error you're encountering suggests that the command syntax I provided was incorrect for the Ory CLI. Let me provide you with the correct way to use Ory Tunnel with HTTPS. Based on the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel), the correct command structure for running Ory Tunnel doesn't use the

-e

flag for environment variables. Instead, you should set these as actual environment variables before running the command. Here's the corrected approach: 1. First, set the environment variables for your TLS certificate and key:

export SERVE_TLS_CERT_BASE64=$(base64 -i cert.crt) export SERVE_TLS_KEY_BASE64=$(base64 -i key.pem)

2. Then, run the Ory Tunnel command:

ory tunnel --project <project-id> <https://localhost:8080>

Make sure to replace

<project-id>

with your actual Ory project ID or slug. If you want to specify a different port, you can use the

--port

flag:

ory tunnel --project <project-id> --port 4443 <https://localhost:4443>

Remember that when using self-signed certificates, you might need to use the

--skip-tls-verify

flag in your client applications or accept the security risk in your browser when accessing the tunnel. Also, keep in mind that Ory Tunnel is designed for development purposes only, as stated in the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel): "The Ory Tunnel command connects your application and Ory's APIs through a local HTTP server. This enables both to run on the same domain or subdomain (for example, yourapp.com, localhost), which is required for cookies to function correctly." If you're still encountering issues, please provide more details about your setup and any error messages you receive.

Thank you for providing more details about your setup. The ERR_SSL_PROTOCOL_ERROR you're encountering is likely related to the SSL/TLS configuration. Let's try to address this issue step by step. 1. First, make sure you're using the correct syntax for the Ory Tunnel command. Based on the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel), the correct format is:

ory tunnel <application-url> [<tunnel-url>] [flags]

So, your command should look like this:

ory tunnel <https://local.goriv.co:3000/token> <https://local.goriv.co:4000> --debug

2. The ERR_SSL_PROTOCOL_ERROR usually occurs when there's a mismatch between the SSL/TLS configuration of the server and what the browser expects. Since you're using a custom domain (local.goriv.co), make sure that your self-signed certificate is created for this domain. 3. Generate a new self-signed certificate for your domain:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=<http://local.goriv.co|local.goriv.co>"

4. Set the environment variables with the new certificate:

export SERVE_TLS_CERT_BASE64=$(base64 -i cert.pem)    export SERVE_TLS_KEY_BASE64=$(base64 -i key.pem)

5. Run the Ory Tunnel command:

ory tunnel <https://local.goriv.co:3000/token> <https://local.goriv.co:4000> --debug

6. When accessing https://local.goriv.co:4000 in your browser, you will likely see a security warning because you're using a self-signed certificate. You'll need to add an exception in your browser to proceed. If you're still encountering issues, here are a few more things to check: - Ensure that your local DNS or hosts file is configured to resolve local.goriv.co to your local machine (127.0.0.1). - Check if the port 4000 is open and not being used by another application. - Make sure you're using the latest version of the Ory CLI. Remember, as mentioned in the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel), "The Ory Tunnel is designed for development purposes only and should not be used in production environments." For production use, it's recommended to set up a proper SSL/TLS certificate and use Ory's custom domain feature. If these steps don't resolve the issue, please provide any error messages you see in the terminal when running the Ory Tunnel command with the --debug flag. This will help in further diagnosing the problem.

To verify that the environment variables are being passed properly to the Ory Tunnel command, you can use a few methods. Here's how you can check: 1. Echo the environment variables: Before running the Ory Tunnel command, you can echo the environment variables to make sure they are set correctly:

echo $SERVE_TLS_CERT_BASE64    echo $SERVE_TLS_KEY_BASE64

These should output the base64 encoded contents of your certificate and key. 2. Use the

--debug

flag: As you've already been using the

--debug

flag, it should provide more detailed output. Look for any messages related to TLS or certificate loading in the debug output. 3. Check the Ory Tunnel logs: When you run the Ory Tunnel command with

--debug

, look for any messages indicating that it's using the TLS certificate and key. There should be some output related to starting the HTTPS server. 4. Verify the certificate: You can use OpenSSL to verify that your certificate is valid for the domain you're using:

openssl x509 -in cert.pem -text -noout | grep CN

This should show "CN=local.goriv.co" if you've created the certificate correctly. 5. Test the certificate and key: You can use OpenSSL to test if the certificate and key pair match:

openssl x509 -noout -modulus -in cert.pem | openssl md5    openssl rsa -noout -modulus -in key.pem | openssl md5

These commands should output the same MD5 hash if the certificate and key match. If after these checks you're still encountering the

ERR_SSL_PROTOCOL_ERROR

, it's possible that there might be an issue with how Ory Tunnel is handling the TLS configuration. In this case, you might want to try an alternative approach: 1. Instead of using environment variables, you can specify the paths to your certificate and key files directly:

ory tunnel <https://local.goriv.co:3000/token> <https://local.goriv.co:4000> --debug --https-tls-cert-path=./cert.pem --https-tls-key-path=./key.pem

This method is mentioned in the [Ory Hydra FAQ](https://www.ory.sh/docs/hydra/faq#how-can-i-import-tls-certificates), and while it's referring to Hydra specifically, it might also work for Ory Tunnel. If you're still experiencing issues after trying these steps, it would be helpful to see the full debug output from the Ory Tunnel command. This could provide more clues about what might be causing the SSL protocol error. Remember, as stated in the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel), "The Ory Tunnel is designed for development purposes only and should not be used in production environments." If you're preparing for a production environment, you should consider setting up a proper SSL/TLS certificate and using Ory's custom domain feature instead.

I apologize for the confusion in my previous response. It seems that the

--https-tls-cert-path

and

--https-tls-key-path

flags are not available for the Ory Tunnel command. This was my mistake in suggesting a method that works for Ory Hydra but not for Ory Tunnel. Based on the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel), the correct way to run Ory Tunnel with HTTPS is to use environment variables. Let's try the following steps: 1. First, ensure your certificate and key are properly encoded:

export SERVE_TLS_CERT_BASE64=$(base64 -i ./__certs__ory/cert.pem)    export SERVE_TLS_KEY_BASE64=$(base64 -i ./__certs__ory/key.pem)

2. Then, run the Ory Tunnel command:

ory tunnel <https://local.goriv.co:3000/token> <https://local.goriv.co:4000> --debug

Make sure you're using the latest version of the Ory CLI, as the available options might vary between versions. If you're still encountering issues, you can try running the tunnel without HTTPS for debugging purposes:

ory tunnel <http://local.goriv.co:3000/token> <http://local.goriv.co:4000> --debug

This will allow you to verify if the tunnel is working correctly without the SSL/TLS layer. Remember, as stated in the [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel), "The Ory Tunnel is designed for development purposes only and should not be used in production environments." If you're preparing for a production environment, you should consider using Ory's custom domain feature with proper SSL/TLS certificates instead of the tunnel. If you're still experiencing issues, please provide the full debug output from the Ory Tunnel command, as it might contain valuable information for troubleshooting.