Hi there,
I'm using Ziti Controllers in HA mode v1.5.4
installed locally on my network.
I want the Controller HTTP API's to present a publicly trusted certificate but use a private PKI with different domain for everything else. Signing identity certs, Overlay traffic ETC. My private PKI uses a completely separate domain. E.G lifeboat.ziti
For example, I've created a Lets Encrypt certificate for *.ziti.example.com
and configured it's server_cert
and server_key
file in web.identity.alt_server_certs
. Now when i curl https://ziti-controller-1.ziti.example.com
the presented certificate is trusted and i no longer get self signed cert error. ZAC also presents the publicly trusted cert as long as i address the service using the ziti.example.com
domain.
My Controllers and Edge routers all connect to each other no problem.
However when i attempt to enrol an identity using ZET, i get TLS errors below.
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] INFO ziti-sdk:utils.c:198 ziti_log_set_level() set log level: root=3/INFO
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] INFO ziti-sdk:utils.c:167 ziti_log_init() Ziti C SDK version 1.6.1 @g6057d76(HEAD) starting at (2025-07-03T15:58:10.652)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] INFO ziti-sdk:ziti_enroll.c:112 ziti_enroll() Ziti C SDK version 1.6.1 @g6057d76(HEAD) starting enrollment at (2025-07-03T15:58:10.652)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] INFO ziti-sdk:ziti_ctrl.c:637 ziti_ctrl_init() ctrl[https://ziti-controller-1.ziti.example.com:443] controller initialized
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] INFO ziti-sdk:ziti_ctrl.c:637 ziti_ctrl_init() ctrl[https://ziti-controller-1.ziti.example.com:443] controller initialized
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] ERROR tlsuv:engine.c:955 openssl: handshake was terminated: error:00000005:lib(0)::reason(5)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] ERROR tlsuv:tls_link.c:113 TLS(0x559e6c7fa0e0) handshake error error:00000005:lib(0)::reason(5)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] ERROR tlsuv:http.c:188 handshake failed status[3]: error:00000005:lib(0)::reason(5)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[https://ziti-controller-1.ziti.example.com:443] request failed: -103(software caused connection abort)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] WARN ziti-sdk:ziti_ctrl.c:336 internal_version_cb() ctrl[https://ziti-controller-1.ziti.example.com:443] CONTROLLER_UNAVAILABLE(software caused connection abort)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[https://ziti-controller-1.ziti.example.com:443] request failed: -103(software caused connection abort)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] INFO ziti-sdk:ziti_ctrl.c:180 ctrl_resp_cb() ctrl[https://ziti-controller-1.ziti.example.com:443] attempting to switch endpoint
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] WARN ziti-sdk:ziti_ctrl.c:602 ctrl_next_ep() ctrl[https://ziti-controller-1.ziti.example.com:443] no controllers are online
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] ERROR ziti-sdk:ziti_enroll.c:419 enroll_cb() failed to enroll with controller: https://ziti-controller-1.ziti.example.com:443 CONTROLLER_UNAVAILABLE[software caused connection abort] reason[]
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5173]: (5173)[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1644 enroll_cb() enrollment failed: ziti controller is not available(-16)
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5169]: Segmentation fault
Jul 03 15:58:10 zet-fcjgbtpr ziti-edge-tunnel.sh[5169]: ERROR: failed to enroll zet-fcjgbtpr.lifeboat.controller.jwt in /opt/openziti/etc/identities
Controller log
Jul 03 15:58:10 ziti-controller-1 ziti[2712]: {"_context":"tls:0.0.0.0:443","error":"local error: tls: bad record MAC","file":"github.com/openziti/transport/v2@v2.0.167/tls/listener.go:260","func":"github.com/openziti/transport/v2/tls.(*sharedListener).processConn","level":"error","msg":"handshake failed","remote":"192.168.54.118:48984","time":"2025-07-03T15:58:10.666Z"}
Controller config
v: 3
commandRateLimiter:
enabled: true
maxQueued: 1000
tls:
handshakeTimeout: 30s
rateLimiter:
enabled: true
minSize: 5
maxSize: 250
cluster:
dataDir: ./data/
identity:
cert: ./pki/ziti-controller-1/certs/server.chain.pem
key: ./pki/ziti-controller-1/keys/server.key
ca: ./pki/ziti-controller-1/certs/ziti-controller-1.chain.pem
ctrl:
listener: tls:0.0.0.0:8443
options:
advertiseAddress: tls:ziti-controller-1.lifeboat.ziti:8443
maxQueuedConnects: 100
maxOutstandingConnects: 100
connectTimeoutMs: 2000
writeTimeout: 15s
events:
jsonLogger:
subscriptions:
- type: connect
- type: cluster
handler:
type: file
format: json
path: /tmp/ziti-events.log
edge:
api:
address: ziti-controller-1.ziti.example.com:443
enrollment:
signingCert:
cert: ./pki/ziti-controller-1/certs/ziti-controller-1.cert
key: ./pki/ziti-controller-1/keys/ziti-controller-1.key
edgeIdentity:
duration: 600m
edgeRouter:
duration: 10m
web:
- name: all-apis-localhost
identity:
cert: ./pki/ziti-controller-1/certs/ziti-controller-1.cert
key: ./pki/ziti-controller-1/keys/ziti-controller-1.key
server_cert: ./pki/ziti-controller-1/certs/server.chain.pem
server_key: ./pki/ziti-controller-1/keys/server.key
ca: ./pki/ziti-controller-1/certs/ziti-controller-1.chain.pem
alt_server_certs:
- server_cert: ./pki/alt/lets_encrypt.cert
server_key: ./pki/alt/lets_encrypt.key
bindPoints:
- interface: 0.0.0.0:443
address: ziti-controller-1.ziti.example.com:443
options:
minTLSVersion: TLS1.2
maxTLSVersion: TLS1.3
apis:
- binding: health-checks
- binding: fabric
- binding: edge-management
- binding: edge-client
- binding: edge-oidc
- binding: zac
options:
location: /opt/openziti/share/console
indexFile: index.html