NetBird v0.36.5 with Zitadel: Account Login Success but Device Registration and Peer Login Failures #1598

Open
opened 2025-11-20 05:33:31 -05:00 by saavagebueno · 4 comments
Owner

Originally created by @xiaojueshi on GitHub (Feb 4, 2025).

Describe the problem

During the use of the system, when using Zitadel for authentication, users can successfully log in to their accounts. However, they encounter issues when registering devices, preventing the devices from completing the registration process. Additionally, there are abnormal situations during client (peer) login, with two main types of error messages:

  1. Missing authentication method: The system prompts "no peer auth method provided, please use a setup key or interactive SSO login", indicating that when the client attempts to log in, it fails to provide a valid authentication method. The system requires the use of a setup key or interactive Single - Sign - On (SSO) for authentication.
    For example:
2025-02-04T15:06:43Z WARN [context: GRPC, requestID: f89d69cb-2d88-499f-90ca-35b2de7b2309, accountID: UNKNOWN, peerID: iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=] management/server/grpcserver.go:473: failed logging in peer iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=: no peer auth method provided, please use a setup key or interactive SSO login
  1. Account not found: The system prompts "failed adding new peer: account not found", meaning that when the client attempts to add a new peer, the system cannot find the corresponding account information.
    For example:
2025-02-04T15:06:44Z WARN [context: GRPC, requestID: a3db5f0a-812f-4058-a8dc-2649e4eb480d, accountID: UNKNOWN, peerID: iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=] management/server/grpcserver.go:473: failed logging in peer iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=: failed adding new peer: account not found

These errors prevent the client from logging in normally and the device from completing the registration.

To Reproduce

Since the specific operation steps are not clearly indicated in the logs, the possible steps to reproduce are speculated as follows:

  1. Start the NetBird management server. The server begins to load configuration information, as shown in the logs:
2025-02-04T15:05:59Z INFO [context: SYSTEM] management/cmd/management.go:514: loading OIDC configuration from the provided IDP configuration endpoint https://auth.lzwnas.cn/.well-known/openid-configuration
2025-02-04T15:05:59Z INFO [context: SYSTEM] management/server/telemetry/app_metrics.go:193: enabled application metrics and exposing on http://0.0.0.0:9090
2025-02-04T15:05:59Z INFO [context: SYSTEM] management/server/store/store.go:241: using SQLite store engine
  1. Log in to the account through Zitadel. This step can be completed successfully.
  2. Attempt to perform the device registration operation.
  3. The client fails to provide a valid authentication method or uses non - existent account information when attempting to log in for device registration.
  4. The system outputs the corresponding warning messages, indicating login failure and device registration failure, as shown in the log examples described in the error information above.
Originally created by @xiaojueshi on GitHub (Feb 4, 2025). ### **Describe the problem** During the use of the system, when using Zitadel for authentication, users can successfully log in to their accounts. However, they encounter issues when registering devices, preventing the devices from completing the registration process. Additionally, there are abnormal situations during client (peer) login, with two main types of error messages: 1. **Missing authentication method**: The system prompts "no peer auth method provided, please use a setup key or interactive SSO login", indicating that when the client attempts to log in, it fails to provide a valid authentication method. The system requires the use of a setup key or interactive Single - Sign - On (SSO) for authentication. For example: ``` 2025-02-04T15:06:43Z WARN [context: GRPC, requestID: f89d69cb-2d88-499f-90ca-35b2de7b2309, accountID: UNKNOWN, peerID: iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=] management/server/grpcserver.go:473: failed logging in peer iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=: no peer auth method provided, please use a setup key or interactive SSO login ``` 2. **Account not found**: The system prompts "failed adding new peer: account not found", meaning that when the client attempts to add a new peer, the system cannot find the corresponding account information. For example: ``` 2025-02-04T15:06:44Z WARN [context: GRPC, requestID: a3db5f0a-812f-4058-a8dc-2649e4eb480d, accountID: UNKNOWN, peerID: iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=] management/server/grpcserver.go:473: failed logging in peer iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=: failed adding new peer: account not found ``` These errors prevent the client from logging in normally and the device from completing the registration. ### **To Reproduce** Since the specific operation steps are not clearly indicated in the logs, the possible steps to reproduce are speculated as follows: 1. Start the NetBird management server. The server begins to load configuration information, as shown in the logs: ``` 2025-02-04T15:05:59Z INFO [context: SYSTEM] management/cmd/management.go:514: loading OIDC configuration from the provided IDP configuration endpoint https://auth.lzwnas.cn/.well-known/openid-configuration 2025-02-04T15:05:59Z INFO [context: SYSTEM] management/server/telemetry/app_metrics.go:193: enabled application metrics and exposing on http://0.0.0.0:9090 2025-02-04T15:05:59Z INFO [context: SYSTEM] management/server/store/store.go:241: using SQLite store engine ``` 2. Log in to the account through Zitadel. This step can be completed successfully. 3. Attempt to perform the device registration operation. 4. The client fails to provide a valid authentication method or uses non - existent account information when attempting to log in for device registration. 5. The system outputs the corresponding warning messages, indicating login failure and device registration failure, as shown in the log examples described in the error information above.
saavagebueno added the peer-managementmanagement-servicezitadelself-hosting labels 2025-11-20 05:33:31 -05:00
Author
Owner

@bcmmbaga commented on GitHub (Feb 4, 2025):

Hello @xiaojueshi , could you clarify how you are registering the new peer? Specifically, do you specify your self-hosted management URL during the registration process? If not you can try running:

netbird up --management-url <YOUR_MANAGEMENT_URL>
@bcmmbaga commented on GitHub (Feb 4, 2025): Hello @xiaojueshi , could you clarify how you are registering the new peer? Specifically, do you specify your self-hosted management URL during the registration process? If not you can try running: ```sh netbird up --management-url <YOUR_MANAGEMENT_URL> ```
Author
Owner

@xiaojueshi commented on GitHub (Feb 6, 2025):

Hello @xiaojueshi , could you clarify how you are registering the new peer? Specifically, do you specify your self-hosted management URL during the registration process? If not you can try running:

netbird up --management-url <YOUR_MANAGEMENT_URL>

After troubleshooting, I discovered that I previously had a Netbird service under this domain. Now that I've recreated a new Netbird service, the existing clients are experiencing authentication failures.

@xiaojueshi commented on GitHub (Feb 6, 2025): > Hello [@xiaojueshi](https://github.com/xiaojueshi) , could you clarify how you are registering the new peer? Specifically, do you specify your self-hosted management URL during the registration process? If not you can try running: > > netbird up --management-url <YOUR_MANAGEMENT_URL> After troubleshooting, I discovered that I previously had a Netbird service under this domain. Now that I've recreated a new Netbird service, the existing clients are experiencing authentication failures.
Author
Owner

@xiaojueshi commented on GitHub (Feb 6, 2025):

Problem Description:
After recreating the Netbird service, newly registered peers show as successfully registered but remain offline. Client logs indicate repeated connection timeouts (context deadline exceeded) when attempting to connect to the Signal Exchange Service at XXX:10000.

Error Log Summary:

[...] ERRO [...] error while connecting to the Signal Exchange Service XXX:10000: context deadline exceeded  
[...] ERRO [...] rpc error: code = FailedPrecondition desc = failed connecting to Signal Service : context deadline exceeded  
[...] ERRO [...] failed to connect to the signalling server: context deadline exceeded  

(Full logs show repeated connection attempts failing with the same error.)

Current Configuration:
The Signal Service port 10000 is proxied via Nginx with the following rule:

location /signalexchange.SignalExchange/ {
    grpc_pass grpc://127.0.0.1:10000; 
    #grpc_ssl_verify off;
    grpc_read_timeout 1d; 
    grpc_send_timeout 1d; 
    grpc_socket_keepalive on; 
    add_header Strict-Transport-Security "max-age=31536000"; 
}

Key Observations:

  1. Clients can register but fail to establish a stable connection to the Signal Service.
  2. Timeout errors persist despite Nginx proxying the gRPC traffic to 127.0.0.1:10000.
  3. No SSL verification is currently enabled (grpc_ssl_verify off is commented out).

Request:
Assistance in diagnosing the root cause of the connection timeout between clients and the Signal Service through the Nginx proxy.

@xiaojueshi commented on GitHub (Feb 6, 2025): **Problem Description:** After recreating the Netbird service, newly registered peers show as successfully registered but remain offline. Client logs indicate repeated connection timeouts (`context deadline exceeded`) when attempting to connect to the Signal Exchange Service at `XXX:10000`. **Error Log Summary:** ``` [...] ERRO [...] error while connecting to the Signal Exchange Service XXX:10000: context deadline exceeded [...] ERRO [...] rpc error: code = FailedPrecondition desc = failed connecting to Signal Service : context deadline exceeded [...] ERRO [...] failed to connect to the signalling server: context deadline exceeded ``` *(Full logs show repeated connection attempts failing with the same error.)* **Current Configuration:** The Signal Service port `10000` is proxied via Nginx with the following rule: ``` location /signalexchange.SignalExchange/ { grpc_pass grpc://127.0.0.1:10000; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; add_header Strict-Transport-Security "max-age=31536000"; } ``` **Key Observations:** 1. Clients can register but fail to establish a stable connection to the Signal Service. 2. Timeout errors persist despite Nginx proxying the gRPC traffic to `127.0.0.1:10000`. 3. No SSL verification is currently enabled (`grpc_ssl_verify off` is commented out). **Request:** Assistance in diagnosing the root cause of the connection timeout between clients and the Signal Service through the Nginx proxy.
Author
Owner

@josark2005 commented on GitHub (Sep 17, 2025):

I have faced the same issue, and no solution is found so far.

I am not sure if we should add a zitadel actions in netbrid project.

@josark2005 commented on GitHub (Sep 17, 2025): I have faced the same issue, and no solution is found so far. I am not sure if we should add a zitadel actions in netbrid project.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1598