Error 500 after login in with Zitadel

Community Support Self-Hosted
1

Describe the problem

I have a working Zitadel setup and followed closely the advanced guide for installing Netbird. However, once I login via Zitadel with the admin account, I keep getting an error 500.

To Reproduce

Steps to reproduce the behavior:

  1. Navigate to https://netbird.mydomain.com
  2. Zitadel shows up, authenticate with an account

Expected behavior

Redirection to admin dashboard.

Are you using NetBird Cloud?
Self-hosted.

NetBird version

0.56.1

Is any other VPN software installed?

No.

Screenshots

self-hosted-netbird-advanced-guide-zitadel-error-500-v0-p0x8607b7hof1
self-hosted-netbird-advanced-guide-zitadel-error-500-v0-p0x8607b7hof1694×587 9.11 KB

Additional context
Netbird is behind a reverse proxy (traefik). The setup I have is roughly the same as described here: https://www.reddit.com/r/selfhosted/comments/xpju6p/comment/iu85hqy/?utm_source=share&utm_medium=web2x&context=3

Looking at the requests, the error is coming from https://netbird.example.com/api/users and https://netbird.example.com/api/users/current.

I checked every log, and didn’t find anything relevant.

Have you tried these troubleshooting steps?

  • [ x ] Reviewed client troubleshooting (if applicable)
  • [ x ] Checked for newer NetBird versions
  • [ x ] Searched for similar issues on GitHub (including closed ones)
  • [ x ] Restarted the NetBird client
  • [ x ] Disabled other VPN software
  • [ x ] Checked firewall settings
2

Roughly the same != the same. Preferrably it would be nice to obtain your setup, know how you’ve set it up and the config you use. Otherwise, if you have a single config entry that is different from that post, it woudn’t apply to any of us. Making it harder to figure out what the solution could be.

3

Sure.

My dynamic_config.yml for traefik:

http:
  routers:
    netbird:
      entryPoints: websecure
      rule: Host(netbird.example.com)
      tls:
        certResolver: letsencrypt
      service: netbird
      
    netbirdapi:
      entryPoints: websecure
    rule: Host(`netbird.example.com`) && PathPrefix(`/api`)
    tls:
      certResolver: letsencrypt
    service: netbirdapi
    
    netbirdmanagement:
      entryPoints: websecure
      rule: Host(`netbird.example.com`) && PathPrefix(`/management`)
      tls:
        certResolver: letsencrypt
      service: netbirdmanagement
      
    netbirdsignal:
      entryPoints: websecure
      rule: Host(`netbird.example.com`) && PathPrefix(`/signalexchange`)
      tls:
        certResolver: letsencrypt
      service: netbirdsignal
      
  services:
    netbird:
      loadbalancer:
        passHostHeader: true
        servers:
          - url: 'http://dashboard:80'
    netbirdapi:
      loadbalancer:
        servers:
          - url: 'http://management:33073'
    netbirdmanagement:
      loadbalancer:
        servers:
          - url: 'h2c://management:33073'
    netbirdsignal:
      loadbalancer:
        servers:
          - url: 'h2c://signal:10000'

Changed values in dashboard service in docker-compose.yml

- NETBIRD_MGMT_API_ENDPOINT=https://netbirdapi.example.com:443
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbirdapi.example.com:443

Changed signal port in management.json

...
"Signal": {
    "Proto": "http",
    "URI": "netbird.example.com:443",
    "Username": "",
    "Password": null
},
...
4

OK, so I managed to fix this by changing the Traefik rules to match the new Netbird API:

   netbird:
      rule: "Host(`netbird.example.com`)"
      service: netbird
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
 
    netbirdapi:
      rule: "Host(`netbird.example.com`) && PathPrefix(`/api`)"
      service: netbirdapi
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
 
    netbirdrelay:
      rule: "Host(`netbird.example.com`) && PathPrefix(`/relay`)"
      service: netbirdrelay
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
 
    netbirdmanagement:
      rule: "Host(`netbird.example.com`) && PathPrefix(`/management.ManagementService/`)"
      service: netbirdmanagement
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
 
    netbirdsignal:
      rule: "Host(`netbird.example.com`) && PathPrefix(`/signalexchange.SignalExchange/`)"
      service: netbirdsignal
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

However, I still have issues when trying to setup a peer from an Android phone.

At first there was an issue where the authentication redirect_uri was set to http://localhost:5300 which I’m still not sure what it is reffering to (localhost of Zitadel or Netbird management?) so I had to add the correct URLs in management.json manually:

"RedirectURLs": [                                                                                                                                                                                                         
    "https://netbird.example.com/auth",
    "https://netbird.example.com/silent-auth",
    "http://localhost:53000"
    ],

Now, when trying to connect with the Android app, I’m redirected to the Zitadel login page, but after I connect I receive a login error saying “Oops, something went wrong unauthenticated”.

This only happens with the Android app, I managed to connect a Linux device without any problems.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.