[BUG] Traefik forward-auth fails with self-signed certificates

[prasadtalasila]

Describe the bug

The users may want to run the DTaaS on internal servers with self-signed TLS certificates. In such cases, the SSO with traefik-forward-auth fails.

To Reproduce

Steps to reproduce the behavior:

1. Create self-signed certificates with mkcert
2. Use production installation of DTaaS files
3. Install integrated Gitlab, create OAuth applications and configure DTaaS with these OAuth applications
4. Login as user
5. See service unavailable error in the browser

A sample log of the docker-traefik-forward-auth-1 service is shown below.

time="2025-10-14T08:00:01Z" level=debug msg="Authenticating request" cookies="[preferred_language=en known_sign_in=xxxxxx _forward_auth_csrf_bd5af2=xxxxxx _forward_auth_csrf_777dda=xxxxxx]" handler=Auth host=foo.com method=GET proto=https rule=default source_ip=10.250.132.133 uri=/
time="2025-10-14T08:00:01Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_225750=xxxxxx; Path=/; Domain=foo.com; Expires=Tue, 14 Oct 2025 09:00:01 GMT; HttpOnly; Secure" handler=Auth host=foo.com login_url="https://foo.com/gitlab/oauth/authorize?client_id=xxxxxx&redirect_uri=https%3A%2F%2Ffoo.com%2F_oauth&response_type=code&scope=read_user&state=xxxxxx%3Ageneric-oauth%3Ahttps%3A%2F%2Ffoo.com%2F" method=GET proto=https rule=default source_ip=10.250.132.133 uri=/

time="2025-10-14T08:00:16Z" level=debug msg="Handling callback" cookies="[preferred_language=en known_sign_in=xxxxxx _forward_auth_csrf_bd5af2=xxxxxx _forward_auth_csrf_777dda=xxxxxx _forward_auth_csrf_225750=xxxxxx]" handler=AuthCallback host=foo.com method=GET proto=https rule=default source_ip=10.250.132.133 uri="/_oauth?code=xxxxxx&state=xxxxxx%3Ageneric-oauth%3Ahttps%3A%2F%2Ffoo.com%2F"
time="2025-10-14T08:00:16Z" level=error msg="Code exchange failed with provider" error="Post https://foo.com/gitlab/oauth/token: x509: certificate signed by unknown authority" handler=AuthCallback host=foo.com method=GET proto=https rule=default source_ip=10.250.132.133 uri="/_oauth?code=xxxxxx&state=xxxxxx%3Ageneric-oauth%3Ahttps%3A%2F%2Ffoo.com%2F"
time="2025-10-14T08:00:16Z" level=debug msg="Authenticating request" cookies="[preferred_language=en known_sign_in=xxxxxx _forward_auth_csrf_bd5af2=xxxxxx _forward_auth_csrf_777dda=xxxxxx]" handler=Auth host=foo.com method=GET proto=https rule=default source_ip=10.250.132.133 uri=/favicon.ico
time="2025-10-14T08:00:16Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_b32a03=xxxxxx; Path=/; Domain=foo.com; Expires=Tue, 14 Oct 2025 09:00:16 GMT; HttpOnly; Secure" handler=Auth host=foo.com login_url="https://foo.com/gitlab/oauth/authorize?client_id=xxxxxx&redirect_uri=https%3A%2F%2Ffoo.com%2F_oauth&response_type=code&scope=read_user&state=xxxxxx%3Ageneric-oauth%3Ahttps%3A%2F%2Ffoo.com%2Ffavicon.ico" method=GET proto=https rule=default source_ip=10.250.132.133 uri=/favicon.ico

Expected behavior

Login should have happened successfully.

Application Environment

• OS: [Windows 11]
• Browser [chrome]
• DTaaS Release [0.7.0]

Solution

Update DNS server

The deploy/docker/resolv.conf contains the following entry.

nameserver 8.8.8.8

This nameserver works only for servers with valid DNS names that accesible from the Internet. The internal servers are not visible on the Internet so the name resolution fails. The solution is to receive the following information from your IT department. An example is given below.

search domain: client.foo.com
nameserver: 10.20.25.125

Create local TLS root certificates

Use mkcert to create the necessary root and server TLS certificates

wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
sudo mv mkcert-v1.4.4-linux-amd64 /usr/local/bin/mkcert
whereis mkcert
mkcert -install
mkcert "foo.com" "localhost" "127.0.0.1" "::1"
mkcert "foo.com" "*.foo.com" "localhost" "127.0.0.1" "::1"
cp ~/.local/share/mkcert/rootCA.pem rootCA.crt

Fix traefik forward-auth image

Create a derivate traefik forward-auth docker container. Use the following Dockerfile.

# Stage 1: Use Alpine to prepare certificates
FROM alpine:latest AS cert-builder

# Install ca-certificates and prepare the certificate
RUN apk add --no-cache ca-certificates
COPY rootCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

# Stage 2: Copy certificates to the final image
FROM thomseddon/traefik-forward-auth:latest
COPY --from=cert-builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

CMD ["traefik-forward-auth"]

Build the docker container

docker buildx build -t traefik-forward-auth-local:latest .

Update the compose.server.secure.yml. Replace

thomseddon/traefik-forward-auth:latest

line with

image: traefik-forward-auth-local:latest

Restart the forward-auth container

docker compose -f compose.server.secure.yml --env-file .env.server up -d --force-recreate traefik-forward-auth 

Additional Context

Add these steps as documentation under Admin->Guides->Self-Signed Certificates

[prasadtalasila]

If you are hosting Gitlab OAuth on a separate server (say gitlab.foo.com) with a valid certificate, then everything works well. If the externally hosted Gitlab uses self-signed certificates traefik-forward-auth gives certificate error. In such a case, it is better to generate certificate for gitlab.foo.com using mkcert and use it for Gitlab. Since traefik-forward-auth has rootCA using which the certificate for gitlab.foo.com has been generated, everything works well.

[prasadtalasila]

A solution could be to include build option for the traefik forward auth service under certain profiles.