Authentication failing with docker compose controller

Support
1

Hi,
I have deployed the controller via docker compose following the steps outlined here

The controller comes up. However, when I am trying to login the login is failing with "Authentication Request Failed"

error: unable to authenticate to https://controller.domain.tld/edge/management/v1. Status code: 401 Unauthorized, Server returned: {
"error": {
"code": "INVALID_AUTH",
"message": "The authentication request failed",
"requestId": "lw29A8gWr"
},
"meta": {
"apiEnrollmentVersion": "0.0.1",
"apiVersion": "0.0.1"
}
}

I have setup ZITI_PWD in .env and also confirmed on shell the password.

Any help is appreciated.

2

Hi @waqas, welcome to the community and to OpenZiti!

I just ran the instructions and didn't end up with the same problem. Is it possible you ran this multiple times and didn't down -v between runs and just have the wrong password initialized? That's my guess.

Here was my .env file:

$ cat .env
ZITI_PWD=myziti
ZITI_CTRL_ADVERTISED_ADDRESS=ctrl.127.21.71.0.sslip.io

After that, I ran docker compose down -v followed by docker compose up and I was able to login fine.

Try down -v and then up again.

3

Thanks @TheLumberjack for getting back...Yeah i just made it through...Looks like my password had "==" which it didnt like. I changed the password and it worked somehow...
Thanks a ton.

4

@TheLumberjack
I am now looking at setting up router...by following the docs and same youtube video...
However, in my case i have a different machine for router. I am planning to run it on port 443.

I have generated the token in controller and bootstrapping the router using docker-compose.
The router container keeps dying and the logs are showing.

ziti-router-1 | {"cause":"token signature is invalid: key is of invalid type: RSA verify expects *rsa.PublicKey","file":"github.com/openziti/ziti/router/enroll/enroll.go:77","func":"github.com/openziti/ziti/router/enroll.(*RestEnroller).Enroll","level":"fatal","msg":"failed to parse JWT","time":"2025-03-16T22:14:04.170Z"}

I have both the router and controller behind reverse proxy that is public facing. So router connecting to controller first goes to reverse proxy and then is sent over to controller.
I am using nginx-proxy for this setup.

Any points in this will be appreciated.

5

Does your reverse proxy terminate TLS? If that's the case, that's a problem. OpenZiti doesn't tolerate the proxy terminating TLS.

6

Thanks @TheLumberjack
Guess I have to change my model then.
I saw a video with HAPROXY that supports pass through. Will check that solution.
Thanks again for the insight.

7

GitHub issue to track solving this problem: ensure controller deployments tolerate ZITI_PWD containing equals character(s) · Issue #2895 · openziti/ziti · GitHub

This error occurred because the router encountered an unexpected server certificate presented by HAProxy when it attempted to enroll. It was expecting to encounter the controller's edge client API certificate directly, not through a TLS proxy.

You may publish Ziti's TLS ports with any reverse proxy/LB that is configured to pass-through TLS. For example, HAProxy may route the request based upon the server name indication in the ClientHello, provided that it also forwards the ClientHello to Ziti to allows mutual certificate authentication (mutual TLS [mTLS]) to occur.