Adding Identity on Ziti Win Edge Client don't work

Support General Questions
1

Hi OpenZiti Team,

right now i'm testing openziti and has installed a Windows Ziti Edge on my personal PC.

Adding a identity currently dont work. Looking to my log-files shows:

[2025-02-18T11:58:58.072Z]   DEBUG ziti-edge-tunnel:ipc_cmd.c:230 on_cmd() received cmd <{"Command":"Status"}
>
[2025-02-18T11:58:58.072Z]   TRACE ziti-edge-tunnel:ipc_cmd.c:107 on_command_resp() resp[1,len=398] = {"Success":true,"Data":{"Active":false,"Duration":156804,"StartTime":"2025-02-18T11:56:21.268657Z","Identities":[],"IpInfo":{"Ip":"100.64.0.1","Subnet":"255.192.0.0","MTU":65535,"DNS":"100.64.0.2"},"LogLevel":"trace","ServiceVersion":{"Version":"v1.3.9","BuildDate":"Thu-01/16/2025-18:59:50-"},"TunIpv4":"100.64.0.1","TunIpv4Mask":10,"AddDns":false,"ApiPageSize":25,"TunName":"ziti-tun0"},"Code":0}
[2025-02-18T11:58:58.219Z]   DEBUG ziti-edge-tunnel:ipc_cmd.c:230 on_cmd() received cmd <{"Data":{"UseKeychain":true,"IdentityFilename":"user_reinsle_buero","JwtContent":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImI5NTAyMzUzOTE5ZWVkZTYxYTlhNzRjNDQzODE3ZmVjMTE5YmQ4ZTIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2NsaWVudC5zZG4uZWluc2xlLmRlOjQ0MyIsInN1YiI6IkJFVk53cHFtTiIsImF1ZCI6WyIiXSwiZXhwIjoxNzM5ODkwNjg4LCJqdGkiOiI5NGRkYmM0Zi1lMmExLTQ1YmEtYjFkZC1hMTIzYWRiYWNlZmQiLCJlbSI6Im90dCIsImN0cmxzIjpbInRsczpjbGllbnQuc2RuLmVpbnNsZS5kZTo0NDMiXX0.SP0RyAC9aUxnhpWbX6NMtuYwmRHOXpH-iXJeSKNDdqLcziyoxTUaQfJyoGzJf8OMFvMZj9Kt62evi-Kxx8VbNMegvDcDByfQDkVuY4ga1-x7cxzThHu5Pdh3VQp0u4Lkduncy4dpdIN7x0zvFqDCtfaCwvgbYFTSWgxNguTjXqfpnpWKTZZILyqplMqoWkjEvqRWtvOUkwgd7ZBQctg_Ok8M-TCqorE-4pL2ILlzNZkfXktEcMBDxQGOrsAvo8oM8CLpVaUxjtEVMCimgORg8qJZYCljzscGFgy9Vuma4yiyGuS-sfbdnKAEmBMqOB5ew7D8qZ_6fj4AlTbhJ-V2AX3otPaiIUKkKXRi5vwvZJaRRfyK4TeeBTVz0JAZdrXOmZDPvXyK_SOM0ZBTa0M8F5ZxpEMYw_vGkKoefK_jbSflbXPcT8jlH3iCSss2sTdFLCQqvQrtlEokm_Ji49oJ8AVfExrxrJxzBJ-WJN-nc7tUseWInbSJbPzebCXEw70k8tOqeLhha3LT7lS7yT7uuxvk6TQd_1VsPC-gT7sSchKh_u2DyXTjxHHJEL1yXNLQ
[2025-02-18T11:58:58.219Z]    INFO ziti-sdk:ziti_enroll.c:112 ziti_enroll() Ziti C SDK version 1.3.7 @g94225a3(HEAD) starting enrollment at (2025-02-18T11:58:58.219)
[2025-02-18T11:58:58.219Z]   DEBUG ziti-sdk:ziti_enroll.c:464 parse_enrollment_jwt() jwt signature is: SP0RyAC9aUxnhpWbX6NMtuYwmRHOXpH-iXJeSKNDdqLcziyoxTUaQfJyoGzJf8OMFvMZj9Kt62evi-Kxx8VbNMegvDcDByfQDkVuY4ga1-x7cxzThHu5Pdh3VQp0u4Lkduncy4dpdIN7x0zvFqDCtfaCwvgbYFTSWgxNguTjXqfpnpWKTZZILyqplMqoWkjEvqRWtvOUkwgd7ZBQctg_Ok8M-TCqorE-4pL2ILlzNZkfXktEcMBDxQGOrsAvo8oM8CLpVaUxjtEVMCimgORg8qJZYCljzscGFgy9Vuma4yiyGuS-sfbdnKAEmBMqOB5ew7D8qZ_6fj4AlTbhJ-V2AX3otPaiIUKkKXRi5vwvZJaRRfyK4TeeBTVz0JAZdrXOmZDPvXyK_SOM0ZBTa0M8F5ZxpEMYw_vGkKoefK_jbSflbXPcT8jlH3iCSss2sTdFLCQqvQrtlEokm_Ji49oJ8AVfExrxrJxzBJ-WJN-nc7tUseWInbSJbPzebCXEw70k8tOqeLhha3LT7lS7yT7uuxvk6TQd_1VsPC-gT7sSchKh_u2DyXTjxHHJEL1yXNLQmQFUQFuZAM5Hf1kEfT9_gAAVHUxx6aaVPKeX8QfmT0AGnj97OyLN_qRlZyeK7XJa5uILN47rInFVN2vkl6DoByyvTFNs-6P3DJQOGN2MBQY
[2025-02-18T11:58:58.219Z]    INFO ziti-sdk:ziti_ctrl.c:632 ziti_ctrl_init() ctrl[(null):] using https://client.sdn.einsle.de:443
[2025-02-18T11:58:58.219Z]   DEBUG ziti-sdk:ziti_ctrl.c:646 ziti_ctrl_init() ctrl[client.sdn.einsle.de:443] ziti controller client initialized
[2025-02-18T11:58:58.219Z] VERBOSE ziti-sdk:ziti_ctrl.c:152 start_request() ctrl[client.sdn.einsle.de:443] starting GET[/version]
[2025-02-18T11:58:58.219Z] VERBOSE ziti-sdk:ziti_ctrl.c:152 start_request() ctrl[client.sdn.einsle.de:443] starting GET[/.well-known/est/cacerts]
[2025-02-18T11:58:58.219Z]    INFO ziti-edge-tunnel:process_cmd.c:125 enroll_ziti_async() enrollment started. identity file will be written to: c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\user_reinsle_buero.json
[2025-02-18T11:58:58.274Z]   DEBUG ziti-sdk:ziti_enroll.c:58 verify_controller_jwt() verifying JWT signature
[2025-02-18T11:58:58.275Z]   DEBUG ziti-sdk:ziti_enroll.c:86 verify_controller_jwt() JWT verification succeeded!
[2025-02-18T11:58:58.288Z] VERBOSE ziti-sdk:ziti_ctrl.c:207 ctrl_resp_cb() ctrl[client.sdn.einsle.de:443] received headers GET[/version]
[2025-02-18T11:58:58.288Z]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[client.sdn.einsle.de:443] completed GET[/version] in 0.069 s
[2025-02-18T11:58:58.301Z] VERBOSE ziti-sdk:ziti_ctrl.c:207 ctrl_resp_cb() ctrl[client.sdn.einsle.de:443] received headers GET[/.well-known/est/cacerts]
[2025-02-18T11:58:58.302Z] VERBOSE ziti-sdk:ziti_enroll.c:352 well_known_certs_cb() base64_encoded_pkcs7 is: MIIMGQYJKoZIhvcNAQcCoIIMCjCCDAYCAQExADALBgkqhkiG9w0BBwGgggvsMIIF
8DCCA9igAwIBAgIRAJZBj1IfL3G4Gqi62kjsn7wwDQYJKoZIhvcNAQELBQAwgYIx
CzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5ldEZv
dW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxODA2BgNVBAMTL05ldEZvdW5kcnkgSW5j
LiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgOVJoaG9VVU9ZMB4XDTI1MDIxNzEzNTYw
MFoXDTM1MDIxNTEzNTY1OFowfDELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNoYXJs
b3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEyMDAG
A1UEAxMpTmV0Rm91bmRyeSBJbmMuIEludGVybWVkaWF0ZSBDQSBBLUNBSi55czMw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4urQEFmuVaGGuwjexo34G
g2hrL44kB8R7AcqhQKzyPdFZxxgoyhtAJAv6Ga4e3rX3RBK+UcSWycUaNT4VEcMx
xR4fCvBYVq64+RLFPQkkYMKHaqYCZsXJEP44A87Uf9TtGwc9woi/Gf15zFfxNzfw
wnSZ/0f/w+qIur3LbWAGRuYy3AEZht83aRPIz7aVe1INX2CpInYH5dv3o9UQk+wD
fZ3IhQg7X1/qxJnWCGc++p9Px3JlQ2zse/jXNJ3BryxuYI47mi2oSPv00LhHaqsC
fvWA97VgGK7lTY0FwC/ulA+cGC4dSKnNSBQ5ITnYkUx4n/cPJ3NAQOCQmiS34UAD
zyu3eVse2Hrqtw/hEGTmfwDpfqS4WuqjpmE3bj7jlDBBEombSFrbgtiOXH6qykmw
8NIdazUEAbxUmD9Hl7Q9DeY
[2025-02-18T11:58:58.302Z]   DEBUG ziti-sdk:ziti_enroll.c:367 well_known_certs_cb() CA PEM len = 4244
[2025-02-18T11:58:58.302Z]   TRACE ziti-sdk:ziti_enroll.c:368 well_known_certs_cb() CA PEM:
-----BEGIN CERTIFICATE-----
MIIF8DCCA9igAwIBAgIRAJZBj1IfL3G4Gqi62kjsn7wwDQYJKoZIhvcNAQELBQAw
gYIxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5l
dEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxODA2BgNVBAMTL05ldEZvdW5kcnkg
SW5jLiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgOVJoaG9VVU9ZMB4XDTI1MDIxNzEz
NTYwMFoXDTM1MDIxNTEzNTY1OFowfDELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNo
YXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEy
MDAGA1UEAxMpTmV0Rm91bmRyeSBJbmMuIEludGVybWVkaWF0ZSBDQSBBLUNBSi55
czMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4urQEFmuVaGGuwjex
o34Gg2hrL44kB8R7AcqhQKzyPdFZxxgoyhtAJAv6Ga4e3rX3RBK+UcSWycUaNT4V
EcMxxR4fCvBYVq64+RLFPQkkYMKHaqYCZsXJEP44A87Uf9TtGwc9woi/Gf15zFfx
NzfwwnSZ/0f/w+qIur3LbWAGRuYy3AEZht83aRPIz7aVe1INX2CpInYH5dv3o9UQ
k+wDfZ3IhQg7X1/qxJnWCGc++p9Px3JlQ2zse/jXNJ3BryxuYI47mi2oSPv00LhH
aqsCfvWA97VgGK7lTY0FwC/ulA+cGC4dSKnNSBQ5ITnYkUx4n/cPJ3NAQOCQmiS3
4UADzyu3eVse2Hrqtw/hEGTmfwDpfqS4WuqjpmE3bj7jlDBBEombSFrbgtiOXH6q
ykmw8NIdazUEAbxUmD9Hl7Q9DeYcT/f7QaF6/PgZprinHt2v/I8QbPzHntEgeB6g
2MWK7+V4wwNI
[2025-02-18T11:58:58.302Z]    INFO ziti-sdk:ziti_ctrl.c:632 ziti_ctrl_init() ctrl[(null):] using https://client.sdn.einsle.de:443
[2025-02-18T11:58:58.302Z]   DEBUG ziti-sdk:ziti_ctrl.c:646 ziti_ctrl_init() ctrl[client.sdn.einsle.de:443] ziti controller client initialized
[2025-02-18T11:58:58.302Z] VERBOSE ziti-sdk:ziti_ctrl.c:152 start_request() ctrl[client.sdn.einsle.de:443] starting GET[/version]
[2025-02-18T11:58:58.424Z] VERBOSE ziti-sdk:ziti_ctrl.c:152 start_request() ctrl[client.sdn.einsle.de:443] starting POST[/enroll]
[2025-02-18T11:58:58.503Z] VERBOSE ziti-sdk:ziti_ctrl.c:207 ctrl_resp_cb() ctrl[client.sdn.einsle.de:443] received headers GET[/version]
[2025-02-18T11:58:58.503Z]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[client.sdn.einsle.de:443] completed GET[/version] in 0.200 s
[2025-02-18T11:58:58.550Z] VERBOSE ziti-sdk:ziti_ctrl.c:207 ctrl_resp_cb() ctrl[client.sdn.einsle.de:443] received headers POST[/enroll]
[2025-02-18T11:58:58.550Z]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[client.sdn.einsle.de:443] completed POST[/enroll] in 0.125 s
[2025-02-18T11:58:58.550Z]   DEBUG ziti-sdk:ziti_enroll.c:407 enroll_cb() successfully enrolled with controller https://client.sdn.einsle.de:443
[2025-02-18T11:58:58.554Z]    WARN ziti-edge-tunnel:instance.c:51 find_tunnel_identity() Identity ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\user_reinsle_buero.json] is not loaded yet or already removed.
[2025-02-18T11:58:58.554Z]   TRACE tunnel-cbs:ziti_tunnel_ctrl.c:223 process_cmd() processing command[LoadIdentity] with data[{"Identifier":"c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\netfoundry\\user_reinsle_buero.json","Path":"c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\netfoundry\\user_reinsle_buero.json","Disabled":false,"ApiPageSize":25}]
[2025-02-18T11:58:58.554Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1163 load_ziti_async() attempting to load ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\user_reinsle_buero.json]
[2025-02-18T11:58:58.554Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1170 load_ziti_async() loading ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\user_reinsle_buero.json]
[2025-02-18T11:58:58.554Z]   TRACE ziti-edge-tunnel:ipc_cmd.c:107 on_command_resp() resp[1,len=25] = {"Success":true,"Code":0}
[2025-02-18T11:58:58.556Z]   DEBUG ziti-edge-tunnel:instance-config.c:117 save_tunnel_status_to_file() Saved current tunnel status into Config file c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\config.json
[2025-02-18T11:58:58.556Z]   TRACE ziti-edge-tunnel:instance-config.c:121 save_tunnel_status_to_file() Cleaning up resources used for the backup of tunnel config file c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\config.json
[2025-02-18T11:58:58.557Z]    INFO ziti-sdk:ziti.c:505 ziti_start_internal() ztx[0] enabling Ziti Context
[2025-02-18T11:58:58.564Z]    INFO ziti-sdk:ziti.c:522 ziti_start_internal() ztx[0] using tlsuv[v0.33.4/OpenSSL 3.3.1 4 Jun 2024]
[2025-02-18T11:58:58.564Z]    INFO ziti-sdk:ziti_ctrl.c:632 ziti_ctrl_init() ctrl[(null):] using https://client.sdn.einsle.de:443
[2025-02-18T11:58:58.564Z]   DEBUG ziti-sdk:ziti_ctrl.c:646 ziti_ctrl_init() ctrl[client.sdn.einsle.de:443] ziti controller client initialized
[2025-02-18T11:58:58.564Z] VERBOSE ziti-sdk:ziti_ctrl.c:152 start_request() ctrl[client.sdn.einsle.de:443] starting GET[/version]
[2025-02-18T11:58:58.564Z]    INFO ziti-sdk:ziti.c:600 ztx_init_controller() ztx[0] Loading ziti context with controller[https://client.sdn.einsle.de:443]
[2025-02-18T11:58:58.564Z]   DEBUG ziti-sdk:ziti.c:531 ziti_start_internal() ztx[0] using metrics interval: 0
[2025-02-18T11:58:58.564Z]   DEBUG ziti-sdk:ziti.c:218 ziti_set_unauthenticated() ztx[0] setting auth_state[0] to 0
[2025-02-18T11:58:58.564Z]   DEBUG ziti-sdk:ziti_ctrl.c:386 ziti_ctrl_clear_api_session() ctrl[client.sdn.einsle.de:443] clearing api session token for ziti_controller
[2025-02-18T11:58:58.564Z]   DEBUG ziti-sdk:ziti_ctrl.c:1071 ctrl_paging_req() ctrl[client.sdn.einsle.de:443] starting paging request GET[/external-jwt-signers]
[2025-02-18T11:58:58.564Z] VERBOSE ziti-sdk:ziti_ctrl.c:1076 ctrl_paging_req() ctrl[client.sdn.einsle.de:443] requesting /external-jwt-signers?limit=25&offset=0
[2025-02-18T11:58:58.564Z] VERBOSE ziti-sdk:ziti_ctrl.c:152 start_request() ctrl[client.sdn.einsle.de:443] starting GET[/external-jwt-signers?limit=25&offset=0]
[2025-02-18T11:58:58.657Z]   ERROR tlsuv:win32_keychain.c:248 failed to sign: TPM 2.0: Die Struktur hat die falsche Größe.


[2025-02-18T11:58:58.657Z]   ERROR tlsuv:engine.c:923 openssl: handshake was terminated: error:00000005:lib(0)::reason(5)
[2025-02-18T11:58:58.657Z]   ERROR tlsuv:tls_link.c:113 TLS(000002bdccc1a0b0) handshake error error:00000005:lib(0)::reason(5)
[2025-02-18T11:58:58.657Z]   ERROR tlsuv:http.c:189 handshake failed status[3]: error:00000005:lib(0)::reason(5)
[2025-02-18T11:58:58.657Z]    WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[client.sdn.einsle.de:443] request failed: -4079(software caused connection abort)
[2025-02-18T11:58:58.657Z]    WARN ziti-sdk:ziti_ctrl.c:342 internal_version_cb() ctrl[client.sdn.einsle.de:443] CONTROLLER_UNAVAILABLE(software caused connection abort)
[2025-02-18T11:58:58.657Z]    WARN ziti-sdk:ziti.c:1908 version_pre_auth_cb() ztx[0] failed to get controller version: CONTROLLER_UNAVAILABLE/software caused connection abort
[2025-02-18T11:58:58.657Z]    WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[client.sdn.einsle.de:443] request failed: -4079(software caused connection abort)
[2025-02-18T11:58:58.657Z]    INFO ziti-sdk:ziti_ctrl.c:187 ctrl_resp_cb() ctrl[client.sdn.einsle.de:443] attempting to switch endpoint
[2025-02-18T11:58:58.657Z]    WARN ziti-sdk:ziti_ctrl.c:605 ctrl_next_ep() ctrl[client.sdn.einsle.de:443] no controllers are online
[2025-02-18T11:58:58.657Z]    WARN ziti-sdk:ziti.c:641 ext_jwt_singers_cb() ztx[0] failed to get external auth providers: software caused connection abort

The first error i got is

[2025-02-18T11:58:58.657Z]   ERROR tlsuv:win32_keychain.c:248 failed to sign: TPM 2.0: Die Struktur hat die falsche Größe.

Any idea what happened?

Adding other Identities on other PCs and mobile devices are working

Greetings

Robert

2

Hi @reinsle, welcome to the community and to OpenZiti!

Thanks for a relevant log snippet. The "add by URL" feature is special. When you add an identity using external jwt signers by URL, you must ensure the URL is trusted by your operating system. That means you either must use a public CA (zero ssl/lets encrypt/etc) or you need to add the CA for the OpenZiti controller to your OS (establishing the trust). The by URL functionality relies on that trust being preconfigured.

Instead, to use ext-jwt-signers with the private PKI, download the network jwt from the ZAC or through your controller's network-jwts endpoint. For example: https://ctrl.cdaws.clint.demo.openziti.org:8441/network-jwts

You will need to extract the text between the token and add it to a file as is (no spaces/returns/formatting). Grabbing this from the ZAC ext-jwt-signers page is the easiest way to get it in my opinion.

Mac/iOS don't have an "add by url" feature just yet. We're working on that. You either used a different URL on those or you downloaded a JWT.

3

Hi @TheLumberjack,

sorry, this description was missing from my side.

I created the identity using ZAC and downloaded the JWT Tocken via ZAC.

On Windows Client i used Add Identity / With JWT and used the downloaded file.

So i don't used the URL part.

Greetings

Robert

4

Oh. Well then in THAT case, I misread the error! :slight_smile: After looking at it again, I see you called out the keychain error. That's my bad.

Ok. then in this case, this is because of the keychain code introduced not long ago is not working for you. I filed a bug on this last week.

You will be able to enroll once you disable keychain support. Go to Main Menu -> Advanced Settings -> Tunnel Config -> Edit Values -> Use Keychain = unchecked -> save

image
image354×141 1.92 KB

Exit to the main view and turn the tunneler off/on using the big green button and the enrollment should succeed.

image
image413×379 55.3 KB

1 Like
5

Hi,

thanks a lot, works now.

Topic can be closed

Greetings

Robert