BrowZer failed to start

I followed the documentation: BrowZer | OpenZiti to clone the project. After that, I created a .env file in the project root directory with the following content.

ZITI_BROWZER_BOOTSTRAPPER_HOST="browzer.zititv.demo.openziti.org"
ZITI_BROWZER_BOOTSTRAPPER_LOGLEVEL="debug"
ZITI_BROWZER_RUNTIME_LOGLEVEL="debug"
ZITI_BROWZER_RUNTIME_HOTKEY="alt+F12"
ZITI_CONTROLLER_HOST="ziti.edge.controller"
ZITI_CONTROLLER_PORT="1280"
ZITI_BROWZER_BOOTSTRAPPER_SCHEME="https"
ZITI_BROWZER_BOOTSTRAPPER_LISTEN_PORT="8446"
ZITI_BROWZER_BOOTSTRAPPER_TARGETS='{"targetArray":[{"vhost":"docker-whale.zititv.demo.openziti.org","service":"docker.whale","path":"/","scheme":"http","idp_issuer_base_url":"https://dev-b2q0t23rxctngxka.us.auth0.com","idp_client_id":"Yo1JXbaLhp045p8tvLJTbRbGw6TU2xjj"}]}'

The following error is displayed:

image1920×403 104 KB

There is no description of this variable below，How should I define this variable

image1920×1008 161 KB

I started OpenZiti locally using the docker-compose method, and now I want to start Browzer. According to the documentation at BrowZer | OpenZiti, I need to complete the OIDC section. The prerequisites mention that a functional OpenZiti overlay network and a configured alternative server certificate are required. I’m not sure if the 'local docker-compose' setup meets these requirements. Additionally, there's an environment variable for running the Ziti BrowZer Bootstrapper, with the following description:

ZITI_CONTROLLER_HOST: the 'alternative' address for the OpenZiti controller. Example: ctrl.openziti.io

How should 'alternative' be understood here? There is a ziti-edge-controller in the 'local docker-compose' setup. Should I use its host for this?

I have another question. I noticed that the startup command includes a NODE_EXTRA_CA_CERTS parameter. Does this mean that the ZITI_BROWZER_BOOTSTRAPPER_CERTIFICATE_PATH and ZITI_BROWZER_BOOTSTRAPPER_KEY_PATH variables do not need to be defined in the environment variables? If they are still required, how should these two variables be created for an OpenZiti setup built locally using docker-compose?

image1920×983 151 KB

BrowZer really needs to have legitimate, 3rd party verifiable certificates from a publicly trusted CA, something like LetsEncrypt or ZeroSSL (or other). So beware of that particular problem. If you're running it locally from the example docker-compose quickstart, you'll likely struggle with BrowZer. you can do it, but it gets more complex due to the self-signed CA/pki... Just beware. It's way easier to start with BrowZer with a public url, and alt server certs setup. I assume you also discovered the sub menu item of the example setup here Example Enabling BrowZer | OpenZiti ? It's got a video that goes along and has a full video walkthrough too. Maybe that will be a good resource for you to review but it doesn't use the docker compose quickstart so - maybe not. Maybe this would be a good topic for Ziti TV, I don't have one queued up but a "working session" of me trying to get browzer working might be educational? Ziti TV airs at 11 AM ET on Fridays when I have a topic to cover (approx 3.5 hours from right now) You can find them here https://www.youtube.com/playlist?list=PLMUj_5fklasKBlnVqh6YJuURKlgo39Yo1

ZITI_CONTROLLER_HOST is the externally visible url to the controller that has that 3rd party, trusted certificate. So for me, you can see my value is ZITI_CONTROLLER_HOST: ctrl.clint.demo.openziti.org (and with the port https://ctrl.clint.demo.openziti.org:8441/) you can get to this url and inspect the certificate if you like. So this is the "alternate" url because there's ALSO the self-signed PKI on the internet at this address (the 'main' url) https://ec2-3-142-245-63.us-east-2.compute.amazonaws.com:8441/

Here's a sample environment from my running BrowZer install:

    environment:
      NODE_ENV: production
      ZITI_BROWZER_BOOTSTRAPPER_LOGLEVEL: debug
      ZITI_BROWZER_RUNTIME_LOGLEVEL: debug
      ZITI_CONTROLLER_HOST: ctrl.clint.demo.openziti.org
      ZITI_CONTROLLER_PORT: 8441
      ZITI_BROWZER_BOOTSTRAPPER_HOST: browzer.clint.demo.openziti.org
      ZITI_BROWZER_BOOTSTRAPPER_LISTEN_PORT: 443
      ZITI_BROWZER_BOOTSTRAPPER_CERTIFICATE_PATH: /etc/letsencrypt/live/clint.demo.openziti.org/fullchain.pem
      ZITI_BROWZER_BOOTSTRAPPER_KEY_PATH: /etc/letsencrypt/live/clint.demo.openziti.org/privkey.pem
      ZITI_BROWZER_BOOTSTRAPPER_SCHEME: https
      ZITI_BROWZER_RUNTIME_ORIGIN_TRIAL_TOKEN: "YOUR_TOKEN_HERE"
      _ZITI_BROWZER_BOOTSTRAPPER_WILDCARD_VHOSTS: false
      ZITI_BROWZER_BOOTSTRAPPER_TARGETS: >
          {
            "targetArray": [
            {
                      "vhost": "docker-whale.clint.demo.openziti.org",
                      "service": "docker.whale",
                      "path": "/",
                      "scheme": "http",
                      "idp_issuer_base_url": "https://keycloak.clint.demo.openziti.org:8446/realms/zitirealm",
                      "idp_client_id": "browzerBootstrapClient",
                      "idp_type": "keycloak",
                      "idp_realm": "zitirealm"
            },
            {
                      "vhost": "brozac.clint.demo.openziti.org",
                      "service": "brozac",
                      "path": "/",
                      "scheme": "http",
                      "idp_issuer_base_url": "https://keycloak.clint.demo.openziti.org:8446/realms/zitirealm",
                      "idp_client_id": "browzerBootstrapClient",
                      "idp_type": "keycloak",
                      "idp_realm": "zitirealm"
            },
            {
                      "vhost": "puter.clint.demo.openziti.org",
                      "service": "puter",
                      "path": "/",
                      "scheme": "http",
                      "idp_issuer_base_url": "https://keycloak.clint.demo.openziti.org:8446/realms/zitirealm",
                      "idp_client_id": "browzerBootstrapClient",
                      "idp_type": "keycloak",
                      "idp_realm": "zitirealm"
            }
            ]
          }

NODE_EXTRA_CA_CERTS -- as I recall (I'm fuzzy on it right now as I don't use this feature much) is to allow you to use your own PKI for the BrowZer bootstrapper so that it can actually connect to a controller without an third-party server cert (self-signed PKI). This is part of the "more complex" part I was alluduing to before.

We don't have a "how to browzer entirely locally" guide that I know of. That also might be a good Ziti TV topic in general. it's a similar idea.

hope that helps?

@TheLumberjack Is it possible to fully deploy the Network and BrowZer on a server with a domain name and certificate, without using Docker Compose?

BrowZer itself will want a compose file (or at least docker0. We don't support deploying it via any other mechanisms. The OpenZiti overlay you can deploy without docker.

image3112×1106 418 KB

@TheLumberjack Can’t BrowZer be cloned directly from GitHub? Why is Docker still required?

I have an Ubuntu server ready, and I’ll be following the steps in this video to install OpenZiti and BrowZer: https://www.youtube.com/watch?v=ZPkOQbVEnW0&t=817s

Surely it can, but I personally haven't done it and I don't know if there are any additional nuances necessary to clone the repo, build it, put pieces in the proper places etc. That's why I was indicating that docker was the preferred execution path for browzer at this time. If there are "no docker" instructions, I'll see if @curt can comment.

@TheLumberjack BrowZer is constantly restarting.

image1920×444 70.2 KB

Then I ran this command: journalctl -fu browzer-bootstrapper, and the output was as follows:

image1920×682 179 KB

Looks like you're having a name resolution problem based on the log

I don't know if this was working and now isn't, or where you're at but my guess is you misconfigured that or didn't add the wildcard record properly. (probably the latter?)

@TheLumberjack Yes, I just added a wildcard record in the DNS service provider’s console for the domain. Now, the BrowZer logs are as follows:

image1920×527 135 KB

The content of my browzer.env file is as follows:

image1920×944 87.2 KB

It states you have a self signed cert in the chain. You need to use 3rd party verifiable certs

Do you think these two images would be useful for troubleshooting the issue?

image1840×1390 196 KB

image1464×1172 94.3 KB

@TheLumberjack I modified ZITI_CONTROLLER_HOST in the browzer.env file to openziti.devops.authing-inc.co and then restarted BrowZer. It started running normally, but when I accessed https://brozac.openziti.devops.authing-inc.co:8446/, a new error appeared. Would you like me to share a screenshot for further troubleshooting?

@TheLumberjack I’ve reconfigured everything, and the only remaining issue now is with creating the service. Please disregard the previous content and help me take a look at the current issue.

I started an HTTP service on the server using Python, and when I access http://openziti.devops.authing-inc.co:8080 in a browser, it displays “helloworld.” Then, I created a service using the following method. From my understanding, intercept_address and intercept_port are used to configure the address of the service that needs to be intercepted, while offload_address and offload_port specify where OpenZiti forwards the request, which is the actual service address. After successfully creating the service, when I visit https://brozac.openziti.devops.authing-inc.co:8446/ in the browser, the following error appears.

image1654×1026 156 KB

image1920×983 63.5 KB

image1920×508 144 KB

If you need to review the configuration details on ZAC, I can share screenshots with you.

I'm surprised we have forgotten to add this to our doc. You're hitting the JSPI issue. If you search the forum for JSPI, you'll find many such posts including this one from @curt as to how to fix the issue:

Follow those instructions and you'll get past the JSPI issue.

@TheLumberjack Is the “Origin” specified here correct, or should it be set to “brozac.openziti.devops.authing-inc.co”?

image1604×840 68.7 KB

Yes. It should be your ${WILDCARD_URL}