After updating to 0.22.2, headscale refuses let's encrypt certificates

[kolaente]

Bug description

After upgrading to 0.22.2 (from 0.22.1) headscale refuses to start. I see this message in the logs:

server_1  | 2023-05-11T20:19:46Z FTL go/src/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="Get \"https://auth.domain.tld/application/o/headscale/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

The certificate on the auth provider uses a let's encrypt certificate. I can view the site in my browser without problems. Downgrading to 0.22.1 again seems to fix it.

Environment

• OS: Docker image
• Headscale version: 0.22.2
• Tailscale version: probably not relevant?

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Both are the case here, but I doubt that's a cause of the problem? Also since this is the official image I kind of assume it's within the scope of the project?

To Reproduce

Update to 0.22.2 from 0.22.1, use a Let's Encrypt certificate on a third party auth provider.

[gtjadsonsantos]

I am with this problem too

[6ixfalls]

Issue seems to be with the new base image change, bullseye-slim doesn't contain ca-certificates by default AFAIK. Will test and create a PR if so.

[arnonh]

Just to help others, It will refuse any certificate so for me oidc with google stopped working until i downgraded back to 0.22.1

[sunny-logic]

Sorry to comment here on a closed issue but just wanted to check if the "v0.23.0-alpha5-debug" have the ca-certificates added because I see the below error, thanks.

ERR Could not load DERP map from path error="Get \"https://controlplane.tailscale.com/derpmap/default\": tls: failed to verify certificate: x509: certificate signed by unknown authority" func=GetDERPMap url=https://controlplane.tailscale.com/derpmap/default