I confirm that

Now maybe the issue is not with the first request (redirect) to the job status REST resource, but with the following requests, meaning that maybe JobStatusResourceImpl puts the bad URL in the JSON response. I haven't debugged this code yet.

is correct. The job status is first accessed with https (after the first redirect) and then again with http. I reproduce this problem in a standard Apache/Tomcat/Debian XWiki setup and the "self" link is indeed using http even though the wiki descriptor's secure property is set.