I wanted to install Zitadel as selfhosted, but I can't login.
The better expalination is on github:
https://github.com/zitadel/zitadel/issues/10123
Can somebody help me, to start one time this application???
GitHub
[Bug]: Not possible to log in · Issue #10123 · zitadel/zitadel
Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment Self-hosted Version 3.3.0 Database PostgreSQL Dat...
25 Replies
Is somebody here for help??? (Some germans maybe?)
Hey @Kal looking into it
hey @Kal I spent soem time sreading your issue and even tho your domain name/port are correct, this means either the Host header isn't forwarded as expected, or ZITADEL did not register the ExternalDomain during setup(even after correct info in YAML).
Can you pls share your proxy config?.
---
http:
routers:
zitadel:
rule: >
Host(
zitadel.free-planet-earth.org) ||
Host(zitadel.helfa.org)
entryPoints:
- https
service: zitadel-service
tls:
certResolver: hetzner
middlewares:
- zitadel-security@file
- global-compress@file
- global-rate-limit@file
services:
zitadel-service:
loadBalancer:
servers:
- url: "http://zitadel:8080"
healthCheck:
path: "/debug/healthz"
interval: "30s"
timeout: "5s"
passHostHeader: true
middlewares:
# Zitadel-specific security headers
zitadel-security:
headers:
# Request headers for proper proxy handling
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: ""
X-Forwarded-Port: "443"
# Response headers optimized for Zitadel
customResponseHeaders:
X-Frame-Options: "DENY"
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
Strict-Transport-Security:
"max-age=31536000; includeSubDomains; preload"
# Zitadel-friendly CSP for OAuth/OIDC functionality
Content-Security-Policy: >
default-src 'self';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' data: https:;
connect-src 'self';
frame-ancestors 'none';
base-uri 'self'
Referrer-Policy: "strict-origin-when-cross-origin"
# OIDC/OAuth specific headers
Access-Control-Allow-Origin: "*"
Access-Control-Allow-Methods: "GET, POST, OPTIONS"
Access-Control-Allow-Headers: "Authorization, Content-Type"
# SSL settings
sslRedirect: true
stsSeconds: 31536000
stsIncludeSubdomains: true
addVaryHeader: true
Here we go …hey @Kal quickly, saw something that can be changed.
Remove the explicit override of
X-Forwarded-Host in the middleware. Allow Traefik to forward the header automatically. That value will get auto populated.
Restart Traefik and ZITADEL containers to apply changes. Test access and relaunch login.
Your middleware wipes out that header by setting X-Forwarded-Host: ""I'm on the way …
sure, no pressure
I found an error, you can see yourself:
2025-06-27 10:55:56.343 UTC [1] LOG: starting PostgreSQL 17.5 on x86_64-pc-linux-musl, compiled by gcc (Alpine 14.2.0) 14.2.0, 64-bit
2025-06-27 10:55:56.343 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
2025-06-27 10:55:56.343 UTC [1] LOG: listening on IPv6 address "::", port 5432
2025-06-27 10:55:56.344 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2025-06-27 10:55:56.346 UTC [54] LOG: database system was shut down at 2025-06-27 10:55:56 UTC
2025-06-27 10:55:56.351 UTC [1] LOG: database system is ready to accept connections
2025-06-27 10:56:05.258 UTC [59] FATAL: database "zitadel-db-admin" does not exist
2025-06-27 10:56:16.244 UTC [61] FATAL: database "zitadel-db-admin" does not exist
2025-06-27 10:56:27.247 UTC [64] FATAL: database "zitadel-db-admin" does not exist
Zitadel-db-admin is NOT a database, it's an admin user … 🤔
btw: The name of the database is zitadel-db …
I send you some PMs
ahahah
ZITADEL is trying to connect to a nonexistent database named
zitadel-db-admin, which is actually your admin username, NOT your database name.
You need to confirm that, the database name is zitadel. The admin user is postgres (or an existing DB admin account).
There are no typos or mismatches in ZITADEL_DATABASE_POSTGRES_DATABASE, and the user and password fields.
Make sure the zitadel user and zitadel database exist in Postgres, and the user has the right permissions.Just for your Information:
https://zitadel.com/docs/self-hosting/manage/configure
There is an option, to make a different Database … (I know now, that I have to make it, but this should be explained somewhere …)
But I do change it for now.
(And isn't it a security issure, if the name of the admin isn't variable???) It's just an question …
I will change it and give you more updates …
ZITADEL Docs
This guide assumes you are familiar with running ZITADEL using the least amount of configuration possible.
Hello my friend … first thank you for your time … the problem is NOT solved …
I'm again in the login screen … and when I write my FIRST INSTANCE ADMIN USER, this will not help …
I will try it with the "normal" admin …
There is NO login with:
admin
admin@domain.tld
admin@subdomain.domain.tld
my first admin, I created in the podman-compose.yml
I even can't see the password input field …
Here are some other errors (css) btw. (not our Problem, but maybe interesting for you - for the future.
This are the css errors … just for your information.
Should I send you the logs???
hey @Kal you can share the logs here
You’re not seeing the password input because username/password login is likely disabled in your default org or instance settings.
try this : https://zitadel.com/docs/apis/resources/mgmt/management-service-reset-login-policy-to-default
something has misconfigured always tricky to debug self hosted clusters 🙂
Sorry, I had a conversation with a volunteer Organization "care" … We have some points to discus …
1. Question: The DB is almoust empty, so I can delete it and we can create a new one … so I don't have misconfigured it … 😉
2. I'll try the Link … I hope it will solve it. But I don't know what I did wrong (I can not loose data, because I have no … lol)
3. This are the logs … (I will stop the container and start, so you have some "fresh" outputs … (I will delete the database too)
Question: The DB is almoust empty, so I can delete it and we can create a new one … so I don't have misconfigured it -> YES, pls try a fresh
start-from-initThis is my zitadel-postgres Log:
I do always … but this is the result …
This is the log of zitadel itself:
@Rajat Singh It is solved … I don't know, what happend …
Really … I don't know … now I'm in and I can write a passwort …
"don't touch if it ain't broken"
You are right … But … I have some questions …
(I won't touch it … or I make an other instance …)
At first: THANK YOU!!! Really!!!! You are amazing and thank you, that you took time for my problem!!!
What about the the DB Name and the Usernames? can this be fixed?
(I'm not familiar with discord - I don't like it very much - so I can't tell you, how happy I am … now I can continue with the work an learn how to use it …)
The Question, I want to understand is:
What was wrong? Only the DB name and the username? (maybe some cache???)
The project I'm working on is, to build up a platform and to copy to other people, to use the same . Than we will connect the networks together … so we have a decentralized network …
That's why I have to understand, what is going on …
And I want to help you too, to get a better software, if I can …
check you postgres configuration now.
earlier your flag was set to
ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel make sure its
ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel-db
here's the postgres config which can be chnaged/set.
it has a slight learning curve, I agree 🙂Moment … now it runs … should I really change something?
no it cant be anything with caching , it doesn’t cache the database name or credentials beyond the init/setup flows.
maybe you can spin another cluster 😄
just for testing stuff/new features
is it possible to change the db name to something complete different???
You are right … lol …
I change the names of the database and the users so that you don't know where to break in ...