"Temporary failure in name resolution" when trying to authenticate
I have a self-hosted gitlab instance, and have setup an openid authentication using azure after following this documentation. At first it worked, but after a few days gitlab throws an error about a "Temporary failure in name resolution". This is the whole log:
team-git_gitlab | {"severity":"DEBUG","time":"2024-02-08T10:49:49.717Z","correlation_id":"01HP45D2W960TJ0EMP1QG999NC","message":"(openid_connect) Request phase initiated."}
team-git_gitlab | {"severity":"ERROR","time":"2024-02-08T10:49:49.736Z","correlation_id":"01HP45D2W960TJ0EMP1QG999NC","message":"(openid_connect) Authentication failure! getaddrinfo: Temporary failure in name resolution (https:443): SocketError, getaddrinfo: Temporary failure in name resolution (https:443)"}
For any other service of gitlab or simply inside the docker container, the DNS resolution works perfectly fine (by running nslookup google.com
for instance).
I don't have any other log or other information, I don't know where I can find more information about what fails. I don't even know what is the domain that gitlab tries to resolve.
Here is the part of my gitlab.rb that sets up the authentication:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect'] # To match ldap users with azure
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
gitlab_rails['omniauth_allow_bypass_two_factor'] = ['openid_connect']
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
strategy_class: "OmniAuth::Strategies::OpenIDConnect",
scope: ["openid", "profile", "email"],
response_type: "code",
issuer: 'https://login.microsoftonline.com/<tenant_id>/v2.0',
client_auth_method: 'query',
discovery: true,
uid_field: "sub",
pkce: true,
client_options: {
identifier: "<REDACTED>",
secret: "<REDACTED>",
redirect_uri: "https://<MYDOMAIN>/users/auth/openid_connect/callback"
}
}
]
Note: An AD authentication is configured as a secondary auth provider, maybe there is a form of conflict.