diff --git a/Dockerfile b/Dockerfile
index a222787..c6c84d7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,11 +13,15 @@ COPY *.go ./
 
 ARG TARGETOS TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o lk-jwt-service
+# set up nsswitch.conf for Go's "netgo" implementation
+# - https://github.com/golang/go/blob/go1.24.0/src/net/conf.go#L343
+RUN echo 'hosts: files dns' > /etc/nsswitch.conf
 
 FROM scratch
 
 COPY --from=builder /proj/lk-jwt-service /lk-jwt-service
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /etc/nsswitch.conf /etc/nsswitch.conf
 
 EXPOSE 8080
 
diff --git a/main.go b/main.go
index 701ffb5..b2c8814 100644
--- a/main.go
+++ b/main.go
@@ -23,6 +23,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"crypto/tls"
 
 	"time"
 
@@ -64,6 +65,8 @@ func exchangeOIDCToken(
 
 	if skipVerifyTLS {
 		log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName)
+		// Disable TLS verification on the default HTTP Transport for the well-known lookup
+		http.DefaultTransport.(*http.Transport).TLSClientConfig  = &tls.Config{ InsecureSkipVerify: true }
 	}
 	client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true), fclient.WithSkipVerify(skipVerifyTLS))