Selfhosted script installation failed

Hi!

I’m new to netbird and kindly ask for your advice as I haven’t had any contact with netbird or zitadel.

Trying to get the docker containers up I used the script provided by netbird: “export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash”
changed the domain and hoped for the best…

Aftern an hour, seeing this:
Initializing Zitadel with NetBird’s applications

Waiting for Zitadel’s PAT to be created . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
I stopped the process.

The zitadel-logs do show this error:
“…level=fatal msg=“unable to initialize the database” caller=”/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:68" error=“failed to connect to user=root database=postgres: 172.19.0.3:5432 (zdb): failed SASL auth: FATAL: password authentication failed for user "root" (SQLSTATE 28P01)”

As I haven’t touched the configuration-files I thought that the script is taking care of the basic configuration.

What is it that I have to do to get this solved?

Kind regards,

tom

Hi Tom, the script should handle all setup; maybe something else is influencing the configuration. Can you check the logs from the other containers?

Hi mlmmaycon,

#1
this is from the caddy-log:

DBG ts=1760516795.5405 logger=http.stdlib msg=http: TLS handshake error from 165.22.72.144:20586: no certificate available for ‘172.19.0.2’

DBG ts=1760516795.7801268 logger=http.stdlib msg=http: TLS handshake error from 165.22.72.144:58968: no certificate available for ‘172.19.0.2’

DBG ts=1760517434.2264104 logger=http.stdlib msg=http: TLS handshake error from 172.71.166.63:9575: no certificate available for ‘my.domain’

DBG ts=1760517561.1881485 logger=http.handlers.reverse_proxy msg=upstream roundtrip upstream=dashboard:80 duration=0.00186543 request={“remote_ip”:“79.98.243.59”,“remote_port”:“52039”,“client_ip”:“79.98.243.59”,“proto”:“HTTP/1.1”,“method”:“GET”,“host”:“my.ip:80”,“uri”:“/”,“headers”:{“User-Agent”:[“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7”],“Content-Length”:[“0”],“X-Forwarded-For”:[“79.98.243.59”],“X-Forwarded-Proto”:[“http”],“X-Forwarded-Host”:[“my.ip:80”],“Via”:[“1.1 Caddy”]}} error=dial tcp: lookup dashboard on 127.0.0.11:53: no such host

ERR ts=1760517561.1881936 logger=http.log.error msg=dial tcp: lookup dashboard on 127.0.0.11:53: no such host request={“remote_ip”:“79.98.243.59”,“remote_port”:“52039”,“client_ip”:“79.98.243.59”,“proto”:“HTTP/1.1”,“method”:“GET”,“host”:“my.ip:80”,“uri”:“/”,“headers”:{“User-Agent”:[“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7”],“Content-Length”:[“0”]}} duration=0.001996623 status=502 err_id=fh3btvsz9 err_trace=reverseproxy.statusError (reverseproxy.go:1390)

172.19.0.2 is netbird-caddy-1
I changed the log-file to my.domain and my.ip!

#2
and netbird-zdb-1:

2025-10-15 08:47:55.073 UTC [10928] FATAL: password authentication failed for user “root”

2025-10-15 08:47:55.073 UTC [10928] DETAIL: Connection matched file “/var/lib/postgresql/data/pg_hba.conf” line 128: “host all all all scram-sha-256”

I just replaced my domain with the IP. No error within the caddy-log.

But zitadel is still showing this:

time=“2025-10-15T09:44:03Z” level=info msg=“initialization started” caller=“/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:75”

time=“2025-10-15T09:44:03Z” level=fatal msg=“unable to initialize the database” caller=“/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:68” error=“failed to connect to user=root database=postgres: 172.20.0.2:5432 (zdb): failed SASL auth: FATAL: password authentication failed for user "root" (SQLSTATE 28P01)”

You might have to delete the container in question for it to wipe the postgres installation, if the machine hasn’t been fully installed yet. I’d suggest trying again.

Furthermore. I’m assuming the fqdn is fully reachable so the script is able to request the certificates it needs? Not that it’s behind anywhere with a firewall.

When retrying the installation with the script after a failure, you should see an example command to clean up the previous attempt.

I changed the wildcard cloudflare dns-setting to a ‘netbird.domain.me’ one.

#1 caddy-log:

DBG ts=1760538393.8244905 logger=http msg=starting server loop address=[::]:443 tls=true http3=false

INF ts=1760538393.8245125 logger=http msg=enabling HTTP/3 listener addr=:443

INF ts=1760538393.8245883 msg=failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.

INF ts=1760538393.824661 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]

DBG ts=1760538393.8247058 logger=http msg=starting server loop address=[::]:80 tls=false http3=false

WRN ts=1760538393.824717 logger=http msg=HTTP/2 skipped because it requires TLS network=tcp addr=:80

WRN ts=1760538393.824721 logger=http msg=HTTP/3 skipped because it requires TLS network=tcp addr=:80

INF ts=1760538393.8247242 logger=http.log msg=server running name=srv1 protocols=["h1","h2","h3"]

INF ts=1760538393.8247278 logger=http msg=enabling automatic TLS certificate management domains=["my.ip"]

DBG ts=1760538393.8250418 logger=tls msg=stapling OCSP error=no OCSP stapling for [my.ip]: no OCSP server specified in certificate identifiers=["my.ip"]

DBG ts=1760538393.8251166 logger=tls.cache msg=added certificate to cache subjects=["my.ip"] expiration=1768283146 managed=true issuer_key=acme-v02.api.letsencrypt.org-directory hash=1234 cache_size=1 cache_capacity=10000

DBG ts=1760538393.8251357 logger=events msg=event name=cached_managed_cert id=1234 origin=tls data={"sans":["my.ip"]}

DBG ts=1760538393.8251746 logger=events msg=event name=started id=1234 origin= data=null



{"level":"info","ts":1760538393.8351276,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"8c9bc0f8-923f-4e32-a8e5-0a3f376b63b4","try_again":1760624793.8351266,"try_again_in":86399.999999798}

INF ts=1760538393.8352804 logger=tls msg=finished cleaning storage units

INF ts=1760538393.8472936 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1760538393.8473063 msg=serving initial configuration

I do get the certificate!?

#2 zitadel:
still having problems:

time="2025-10-15T14:30:27Z" level=info msg="initialization started" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:75"

time="2025-10-15T14:30:27Z" level=fatal msg="unable to initialize the database" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:68" error="failed to connect to `user=root database=postgres`: 172.19.0.3:5432 (zdb): failed SASL auth: FATAL: password authentication failed for user \"root\" (SQLSTATE 28P01)"

#3 zdb-log:

2025-10-15 14:29:26.743 UTC [293] FATAL:  password authentication failed for user "root"

2025-10-15 14:29:26.743 UTC [293] DETAIL:  Connection matched file "/var/lib/postgresql/data/pg_hba.conf" line 128: "host all all all scram-sha-256"

It’s a Hetzner VPS. I added the missing firewall-rules to allow the ports tcp (33073, 10000 and 33080) and udp (3478, 49152-65535)

whenever I do have another try I delete the old folder and start with an empty new folder.

can you confirm if you also delete the all files and docker volumes?

@mlsmaycon

yes

what I do

• with portainer
  #1 stop containers all three containers
  #2 delete containers and images

• CLI
  delete folder, create a new one, cd into this new folder and let the script do it’s thing…

anything else that I did not see?

There are just two containers active:

I’m having the same problem! I initially installed it on a Debian 13 VM running on a Proxmox behind a NAT, it didn’t work. I thought it was because ports 80 and 443 were behind a NAT and the application couldn’t generate the HTTPS certificates via Certbot, so I hired a VPS from Hetzner, created a firewall rule that allows all incoming traffic to test, and the problem persists. It can’t generate the HTTPS certificate, as far as I understand, and because of that, the installation doesn’t continue.

My netbird-caddy-1 container keeps outputting the log below (the domain has been changed).

{"level":"debug","ts":1762381442.1887,"logger":"events","msg":"event","name":"tls_get_certificate","id":"ddbac7a2-3a13-4b09-8830-6dc28b8c74c8","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47],"ServerName":"vpns.dominio.com.br","SupportedCurves":[4588,29,23,30,24,25,256,257],"SupportedPoints":"AAEC","SignatureSchemes":[2309,2310,2308,1027,1283,1539,2055,2056,2074,2075,2076,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"5.161.250.94","Port":34332,"Zone":""},"LocalAddr":{"IP":"172.18.0.3","Port":443,"Zone":""}}}}
{"level":"debug","ts":1762381442.188746,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"vpns.dominio.com.br"}
{"level":"debug","ts":1762381442.1887507,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.dominio.com.br"}
{"level":"debug","ts":1762381442.1887531,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com.br"}
{"level":"debug","ts":1762381442.1887553,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.br"}
{"level":"debug","ts":1762381442.188757,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
{"level":"debug","ts":1762381442.1887658,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"5.161.250.94","remote_port":"34332","server_name":"vpns.dominio.com.br","remote":"5.161.250.94:34332","identifier":"vpns.dominio.com.br","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1762381442.1888485,"logger":"http.stdlib","msg":"http: TLS handshake error from 5.161.250.94:34332: no certificate available for 'vpns.dominio.com.br'"}

My netbird-zitadel-1 container keeps outputting the log below in loop:

time="2025-11-05T22:26:40Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=auth.refresh_tokens
time="2025-11-05T22:26:42Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.idp_templates6
time="2025-11-05T22:26:43Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.user_auth_methods5
time="2025-11-05T22:26:44Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.secret_generators2
time="2025-11-05T22:26:44Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.quotas
time="2025-11-05T22:26:44Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.personal_access_tokens3
time="2025-11-05T22:26:44Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.password_complexity_policies2
time="2025-11-05T22:26:46Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.login_names3
time="2025-11-05T22:26:47Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.mail_templates2
time="2025-11-05T22:26:48Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.auth_requests
time="2025-11-05T22:26:50Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.web_keys1
time="2025-11-05T22:26:50Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.restrictions2
time="2025-11-05T22:26:50Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.custom_texts2
time="2025-11-05T22:26:50Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.apps7
time="2025-11-05T22:26:51Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.project_grant_members4
time="2025-11-05T22:26:53Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.limits
time="2025-11-05T22:26:55Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.org_metadata2
time="2025-11-05T22:26:55Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.milestones
time="2025-11-05T22:26:55Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.oidc_settings2
time="2025-11-05T22:26:56Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.projects4
time="2025-11-05T22:26:56Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.authn_keys2
time="2025-11-05T22:26:57Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.org_domains2
time="2025-11-05T22:26:58Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.notifications
time="2025-11-05T22:26:59Z" level=debug msg="trigger iteration" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:415" iteration=0 projection=projections.debug_events

I really don’t know what to do anymore.

After 5 hours of racking my brain, I found the problem.

Netbird uses Let’s Encrypt’s ACME validation via IP address. I had tried more than 5 times to install Netbird with the same domain on a VM behind a NAT, which is why Let’s Encrypt blocked the generation of a certificate for my domain.

Because the ACMD error log in the caddy was overwritten by dozens of other logs, only after retrieving all the logs and passing them to ChatGPT was it able to find the problem and pass it on to me.

On the instance I set up on Hetzner, I used another domain that I own, and with that, I was able to generate the HTTPS certificate correctly and the installation was completed successfully.

To any friends who encounter this, here’s a tip:

Always install Netbird with external ports 80 and 443 pointing to the host. Unlike other solutions, if it fails to generate an HTTPS certificate, it won’t generate a self-signed certificate and will continue with the installation without displaying an error message or stopping the tool installation.

Tomorrow I’ll start using the solution and see how it performs in my environments! I hope to participate more and more in the Netbird community.

@tacioandrade

Hi!

Thank you for sharing this information.

I just don’t get what you recommend… sorry, I’m new to it all…

Having Cloudflare-DNS pointing to the correct IP ‘example.com’ and having another a-record like ‘netbird.example.com’ isn’t it that port 80 is the default-port and 443 = https?
http://(netbird).example.com → IP:80
https://(netbird).example.com → IP:443

What is it that I have to make sure?

To solve the problem, I hired a VPS from Hetzner, as it provides a valid IPv4 address directly on the server.

After that, I went to Cloudflare => DNS => Records and created two DNS entries:

A | netbird | 51.xxx.xxx.xxxx
CNAME | *.netbird | netbird.mydomain.com.br

Then, I ran the script again:

export NETBIRD_DOMAIN=netbird.mydomain.com.br; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash

Finally, after a maximum of 2 minutes, Netbird was installed on the server.

However, at the moment I’m trying to find a way to run it within my local network, because the latency from my home in Brazil to the server in the US is 130-140ms, which causes the ping between the two hosts to reach up to 370ms.

Another thing I almost forgot, if you’ve made several attempts with the same domain, change netbird.mydomain.com.br to another subdomain, because Let’s Encrypt (which issues HTTPS certificates), after many attempts to generate the DNS for the same host, can block the generation of a new certificate for the same host for anywhere from a few minutes to several days.

In my case, I received a 5-day ban and had to use another DNS to make it work.

Could you explain how you’d want to use it with the local network?

Assuming your home in brazil has sufficient speed, do you connect through the Netbird IP to whatever machine you wanna connect to? And are you connected over the relay or p2p? (You can check this by doing netbird status -Ad. Since it’s anonymized with the A, you can also send it here)

Yeah, letsencrypt is abused, so they have to be strict with that. They do have a staging enviorement, but that breaks the script if used incorrectly. :~P

In our case, we have a few locally virtualized servers running on Proxmox VE, and we provide services for some small branch offices that only have 2 or 3 computers and no firewall to set up a proper site-to-site connection with our infrastructure.

Since we already have a full setup on our side (HA servers, generators, etc.), I’d like to use Netbird locally to provide a connection using peers + Network Routes so we can access local printers, as well as time-tracking systems (for shift/control logs) if they have any.

I’m still messing around in the lab. I set up two pfSense boxes: one using the 192.168.30.1/23 range for the servers as the LAN, and another pfSense with two different LANs, 192.168.0.1/24 and 192.168.1.1/24.

In this lab setup, it looks like 192.168.30.36 (the IP of one of my lab servers) was only able to reach the desktops 192.168.0.10 and 192.168.1.10 through a Relay, which explains why the ping was so high.

I’m pretty sure the relay kicked in because I’m dealing with double NAT — the NAT from my main firewall and the NAT from the virtualized pfSense in the lab.

Yeah, totally. I’ve been using Let’s Encrypt daily since it first came out, and a bad setup can definitely cause serious issues. In setups like this, I usually use the Cloudflare API so Certbot can generate the certificate for me, and I avoid the standard validation that requires ports 80 and 443.

I created a separate post here on the forum about running Netbird behind a reverse proxy, and it looks like if I use the advanced option, I should be able to configure it properly. I’ll try to find some time this weekend to test it, and if it works, it might be the solution to this whole problem.