I have multiple identity already enrolled, but when I try to enroll my raspi zero w2 running dietpi I have theses errors :
WARN ziti-sdk:model_support.c:202 model_parse() json parse error: unexpected character
ERROR ziti-edge-tunnel:process_cmd.c:127 enroll_ziti_async() cannot enroll: -3
ERROR ziti-edge-tunnel:process_cmdd.c:60 tunnel_enroll_cb() enrollment failed: enrollment JWT or verifiable controller URL is required(-22)
I am able to resolve my controller without problem, I can also access the ZAC console on my dietpi.
I reinstalled the tunneler and delete/recreated identity and the problem stays the same.
Also there is no Error showing on the controller when I check the status of the service, like the connection doesn't even reach it ?
I fear the problem might be simple but I can't seem to understand where it doesn't work.
Thanks in advance.
This is interesting. Can you share the exact steps you use to delete/recreate the identity? Also can you look at the jwt using xdd? I'm interested to know if there's a BOM (strange characters at the start of the file) or extra chars at the end of the JWT, or maybe even if the JWT is empty or incomplete?
I use ZAC to delete and recreate the identity (I select press the "-" sign in red, then I recreate another one with the "+" sign). I tried with another name and the two JWT files with different names cause the same error. I checked the two JWT files with xxd and it seems complete there is the 3 parts. The start are letters and the end numbers and letters, I don't see spaces.
What would be an extra characters ?
If the JWT looks ok, then it's probably ok. I don't know muchabout the raspi zero w2 and don't have one to test/play with. Are there any other errors to be seen? Are you running the arm32 or arm64 ziti-edge-tunnel? I'm not sure if dietpi could possibly cause any problems. I'll ask a copule of people to have a look tomorrow and see if anything sticks out to them.
What is the exact command (with command line options) that you are using to enroll? I'm assuming it's something like:
ziti-edge-tunnel enroll -j /path/to/identity.jwt -o /path/to/identity.json
Could you please show us exactly how you are enrolling? By the way we might see more detail about what's going wrong if you run the enroll command with a higher log level, e.g. -v6.
Thanks!
Hi again,
I'm pretty sure I use the arm64 for the tunneler Debian for jammy.
ziti-edge-tunnel add --jwt spicy.hberry.jwt --identity spicy.hberry
{
"Success":false,
"Error":Enrollment failed: enrollement JWT or verifiable controller URL is required" .
"Code":500
}
When I use the command you put, it does that :
ziti-edge-tunnel enroll -j spicy.hberry.jwt -o /opt/openziti/etc/identities/spicy.hberry.json
enroll: invalid option -- 'o'
Unknown option '?'
output file option(-i|--identity) is required
To note that I don't already have a json file for the identity. So I tried what the prompt cmd suggested :
ziti-edge-tunnel enroll -j spicy.hberry.jwt -i spicy.hberry
[...]
(1623) [ 0.000] ERROR ziti-sdk:ziti_ctrl.c:521 ctrl_body_cb() ctrl[my.domain.com:8441] API request[/enroll] failed code[INVALID_ENROLLMENT TOKEN] message[The supplied token is not valid]
(1623) [ 0.000] ERROR ziti-sdk:ziti_enroll.c:402 enroll_cb() failed to enroll with controller: https://my.domain.com:8441 INVALID_ENROLLMENT TOKEN[The supplied token is not valid] reason[]
(1623) [ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1621 enroll_cb() enrollment failed: JWT not accepted by controller(-3)
Also when I did theses tests I created another identity to be sure.
Oh, it's actually -i not -o for that command. Can you try:
ziti-edge-tunnel enroll -j /path/to/identity.jwt -i /path/to/identity.json
The -j is the input jwt, the -i is the output json file it'll write.
This error differs from the one that you were seeing when you started this thread. I'm pretty sure that you should see some sign of this failure in the controller logs. Unfortunately the message that's sent from the controller does not seem to include the "reason". Can you check in the controller logs?
Also, I was mistaken when I mentioned the -v option to the ziti-edge-tunnel enroll command. Sorry for the confusion there. If the controller logs still aren't presenting a clue, could you please re-run the enroll subcommand with the ZITI_LOG environment variable set as follows?
ZITI_LOG="6;tlsuv=6" ziti-edge-tunnel enroll ...
This will enable the highest level of debug logging. If you do end up getting a successful enrollment (which seems unlikely), the log output at this level might contain the key for your identity, so be careful what you share from it.
Thanks.