I have tried to add verified certs to my ZAC instance, my setup is running fine except for browsers not trusting the console.
In config.yml I have set
`web:
- name: client-management
identity:
...
alt_server_certs:
- server_cert: "/etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem"
server_key: "/etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem"
`
As laid out in the docs. My letsencrypt certs are valid as when i overide the main key: and server_cert: to these values the webpage becomes trusted but it breaks identities across the rest of ziti for me.
Hi @Bricklock, welcome to the community and to OpenZiti!
The most like scenario for this, in my opinion, is that the certificate in the LE certs use the same domain name as the private PKI. Other than that, it could be that the indentation is inconsistent for yaml. The most likely problem in my opinion is that the DNS for the LE cert is the same as the private pki. can you share what your advertise address looks like for the controller and what address you added to your LE cert?
+1
Ran into the same exact problem. Even used strace to see why the controller was not picking up my alt certificate.
I pointed a second sub-domain to the controller, configured another LE cert for this second name and it worked.
We are also experimenting with the external authentification using an OIDC provider and I had to reconfigure it all because all the redirect urls and such were now using the alternate name.
This is probably something that is dead obvious to the openziti team because the PKI infra cannot work with a public cert and thus a second domain is required to the publicly trusted certificate, but I would bet noone could figure it out on the first try even if you read through all the doc.
Welcome to the community and to OpenZiti, @cveilleux! Yeah it's a common problem and not obvious. At this time, OpenZiti MUST operate it's own pki, if for nothing more than the overlay network itself. The problem is if you overlap the FQDN of the private pki with a public alt cert, the go runtime will non-deterministically choose a cert. So it might work for one situation, but fail for another. When using alt certs it's imperative to ensure the FQDNs do not overlap.
I'll take a note and see if i can upgrade the doc to make it clearer.
1 Like
Ooh yes the advertise address domain names are the same in the certs and the private PKI,
Am I able to use a broader cert for the certs and more specific for pki?
i.e. PKI: controller.ziti.domain and for LE ziti.domain?
Thanks so much for your help!
There are three places that alt certs are useful
- For the ZAC (the ui for the controller)
- Possibly for apps using the controllers API
- Using the "add identity to a tunneler using a URL"
The OpenZiti components itself will always favor using the private pki. You CAN use the private pki but the bigger question is, "what exactly are you doing"? And why. I assume it's just for zac access, is my guess.
You should use 2 FQDN. first FQDN is the private pki that OpenZiti will maintain. Second is the url you want to use for zac, get your LE cert for this FQDN and it'll work the way you want