Alt_server_certs not working properly

Ziti Overlay
1

Hey,

I'm deploying my controller using docker (image version 1.6.2).

Here's my config.yaml:

v: 3
db:                     "/ziti-controller/bbolt.db"

identity:
  cert:        "pki/intermediate/certs/client.chain.pem"
  server_cert: "pki/intermediate/certs/server.chain.pem"
  key:         "pki/intermediate/keys/server.key"
  ca:          "pki/root/certs/root.cert"

ctrl:
  options:
    advertiseAddress: tls:overlay.abc.com:1280
  listener: tls:0.0.0.0:1280

healthChecks:
  boltCheck:
    interval: 30s
    timeout: 20s
    initialDelay: 30s

edge:
  api:
    sessionTimeout: 30m
    address: overlay.abc.com:1280
  enrollment:
    signingCert:
      cert: pki/intermediate/certs/intermediate.cert
      key:  pki/intermediate/keys/intermediate.key
    edgeIdentity:
      duration: 180m
    edgeRouter:
      duration: 180m

web:
  - name: all-apis
    bindPoints:
      - interface: 0.0.0.0:1280
        address: overlay.abc.com:1280
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"

      alt_server_certs:

        - server_cert: "/alt_server_certs/etc/letsencrypt/live/overlay.xyz.com/cert.pem"
          server_key:  "/alt_server_certs/etc/letsencrypt/live/overlay.xyz.com/privkey.pem"



    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      - binding: fabric
        options: { }
      - binding: edge-oidc
        options: { }
      - binding: edge-client
        options: { }
      - binding: zac
        options:
          location: /ziti-console
          indexFile: index.html

The certificates in alt_server_certs are generated for both domain "overlay.abc.com" and "overlay.xyz.com":

ares@docker_server_1:/etc/letsencrypt/live/overlay.xyz.com$ openssl x509 -in cert.pem -noout -text | grep -A1 "Subject Alternative Name"
            X509v3 Subject Alternative Name:
                DNS:overlay.abc.com, DNS:overlay.xyz.com

When I got to https://overlay.abc.com:1280/zac it looks like it's presenting the self signed certificate generated by Openziti. But when going into https://overlay.xyz.com:1280/zac everything seems to be working fine (it's presenting the actual cert I provided into alt_server_certs ).

Any idea of what could be the issue ?

2

You should not mix the domains. Use one domain for OpenZiti and another for the alternative server cert.

2 Likes