Zitadel-Login Error "Self-signed certificate"

Hello my instance of Zitadel-login fails with an unusual error, it tells me that the connection to zitadel fails because of a self-signed certificate

   ▲ Next.js 15.4.0-canary.86
   - Local:        http://[::1]:3000
   - Network:      http://[::]:3000

 ✓ Starting...
 ✓ Ready in 669ms
getAllSessions: No session cookie found, returning empty array
Error [ConnectError]: [internal] self-signed certificate
    at h.from (.next/server/chunks/518.js:2:209608)
    at aA (.next/server/chunks/518.js:1:39566)
    at ClientHttp2Session.h (.next/server/chunks/518.js:1:47325) {
  rawMessage: 'self-signed certificate',
  code: 13,
  metadata: Headers {},
  details: [],
  [cause]: [Error: self-signed certificate] { code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }
}

   ▲ Next.js 15.4.0-canary.86
   - Local:        http://[::1]:3000
   - Network:      http://[::]:3000

 ✓ Starting...
 ✓ Ready in 669ms
getAllSessions: No session cookie found, returning empty array
Error [ConnectError]: [internal] self-signed certificate
    at h.from (.next/server/chunks/518.js:2:209608)
    at aA (.next/server/chunks/518.js:1:39566)
    at ClientHttp2Session.h (.next/server/chunks/518.js:1:47325) {
  rawMessage: 'self-signed certificate',
  code: 13,
  metadata: Headers {},
  details: [],
  [cause]: [Error: self-signed certificate] { code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }
}

   ▲ Next.js 15.4.0-canary.86
   - Local:        http://[::1]:3000
   - Network:      http://[::]:3000

 ✓ Starting...
 ✓ Ready in 669ms
getAllSessions: No session cookie found, returning empty array
Error [ConnectError]: [internal] self-signed certificate
    at h.from (.next/server/chunks/518.js:2:209608)
    at aA (.next/server/chunks/518.js:1:39566)
    at ClientHttp2Session.h (.next/server/chunks/518.js:1:47325) {
  rawMessage: 'self-signed certificate',
  code: 13,
  metadata: Headers {},
  details: [],
  [cause]: [Error: self-signed certificate] { code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }
}

   ▲ Next.js 15.4.0-canary.86
   - Local:        http://[::1]:3000
   - Network:      http://[::]:3000

 ✓ Starting...
 ✓ Ready in 669ms
getAllSessions: No session cookie found, returning empty array
Error [ConnectError]: [internal] self-signed certificate
    at h.from (.next/server/chunks/518.js:2:209608)
    at aA (.next/server/chunks/518.js:1:39566)
    at ClientHttp2Session.h (.next/server/chunks/518.js:1:47325) {
  rawMessage: 'self-signed certificate',
  code: 13,
  metadata: Headers {},
  details: [],
  [cause]: [Error: self-signed certificate] { code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }
}

Thing is this error started by itself like that, and I can access my zitadel instance via API fine without any error

  zitadel-login:
    restart: unless-stopped
    image: 'ghcr.io/zitadel/zitadel-login:${ZITADEL_VERSION?error}'
    environment:
      - ZITADEL_API_URL=https://login.hinara.dev
      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
      - ZITADEL_SERVICE_USER_TOKEN=${ZITADEL_LOGIN_PAT?error}
    depends_on:
      zitadel:
        condition: service_healthy
        restart: false

  zitadel-login:
    restart: unless-stopped
    image: 'ghcr.io/zitadel/zitadel-login:${ZITADEL_VERSION?error}'
    environment:
      - ZITADEL_API_URL=https://login.hinara.dev
      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
      - ZITADEL_SERVICE_USER_TOKEN=${ZITADEL_LOGIN_PAT?error}
    depends_on:
      zitadel:
        condition: service_healthy
        restart: false

  zitadel-login:
    restart: unless-stopped
    image: 'ghcr.io/zitadel/zitadel-login:${ZITADEL_VERSION?error}'
    environment:
      - ZITADEL_API_URL=https://login.hinara.dev
      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
      - ZITADEL_SERVICE_USER_TOKEN=${ZITADEL_LOGIN_PAT?error}
    depends_on:
      zitadel:
        condition: service_healthy
        restart: false

  zitadel-login:
    restart: unless-stopped
    image: 'ghcr.io/zitadel/zitadel-login:${ZITADEL_VERSION?error}'
    environment:
      - ZITADEL_API_URL=https://login.hinara.dev
      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
      - ZITADEL_SERVICE_USER_TOKEN=${ZITADEL_LOGIN_PAT?error}
    depends_on:
      zitadel:
        condition: service_healthy
        restart: false

I don't understand why this error happens, even tried connecting with curl from the container and everything seems to be fine.

Ask Inkeep•11/23/25, 11:33 PM

Hi @Hinara, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•11/23/25, 11:33 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

questions-help-bugsget zitadel-go client to work with self-signed certificate questions-help-bugsget zitadel-go client to work with self-signed certificate : A community member resolved a similar self-signed certificate issue with the zitadel-go client by configuring custom TLS credentials with a certificate pool.
SMTP : "certificate signed by unknown authority" (2) : Discusses certificate verification issues where ZITADEL couldn't verify certificates, though this was SMTP-specific.

Would you like me to provide a general answer about handling self-signed certificates with Node.js clients, or would you prefer to click the "Ask for help" button to have a team member review your specific zitadel-login configuration?

Ask Inkeep•11/23/25, 11:33 PM

To learn more, see the sources I considered:

questions-help-bugsget zitadel-go client to work with self-signed certificate
[2] SMTP : "certificate signed by unknown authority"

Ask Inkeep•11/23/25, 11:33 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] get zitadel-go client to wo...

Ask InkeepAPP•11/23/25, 11:45 PM

Got it. Tagging @Rajat for additional help.

HinaraOP•11/24/25, 12:17 AM

Could not reproduce on local instance in dev mode.
But container still fails

HinaraOP•11/24/25, 12:52 AM

It seems that it is the container configuration of Zitadel-login which fails to accept my let's encrypt certificate can reproduce by launching this script in the container

const https = require('node:https');
https.get('https://login.hinara.dev/', (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });

}).on('error', (e) => {
  console.error(e);
});

const https = require('node:https');
https.get('https://login.hinara.dev/', (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });

}).on('error', (e) => {
  console.error(e);
});

HinaraOP•11/24/25, 12:59 AM

Closed there was some issue with my traefik instance giving the wrong certificate on IPv4 but everything was fine if IPv6 was used

AAsk Inkeep To learn more, see the sources I considered: [[1] get zitadel-go client to wo...

Ask InkeepAPP•11/24/25, 12:59 AM

Glad I could be helpful. Feel free to create a new thread with any new questions you may have.