Configuring the http example that connects to ZitiMobileEdge client

You could also send me an identity on your network if you wanted clint at openziti dot org …

I can see in your logs you shared:

[77941.634]   ERROR edge/controller/handler_edge_ctrl.(*baseSessionRequestContext).verifyTerminator: {operation=[remove.terminator] terminatorId=[NZpG] error=[invalid terminator: not found]} terminator not found
[77941.634]   ERROR edge/controller/handler_edge_ctrl.(*baseRequestHandler).returnError [ch{wYXvHOJa9x}->u{classic}->i{PJld}]: {token=[cb07e6cb-1861-42f0-ac0c-ae14b5d5429e] error=[invalid terminator: not found] 

That is new one on me… I also see you’re accessing http.ziti. I’d really love to know the exact steps to reproduce this. I haven’t even seen this particular issue.

Right now I would say you should probably delete your configs, services and service policies… wait a good 15s and try again to recreate them.

Synatx for cleaning ALL your configs/services/service-policies is:

ziti edge delete service-policies where true
ziti edge delete services where true
ziti edge delete configs where true

it’s a lighter touch than reinstalling everything… I’d clean it all up and see what happens if you run the commands again?

ok… will do… not sure if I can tell you the steps… as it’s been a trail of spaghetti…

will revert back shortly

trail of ziti??? (we make all the pasta jokes here)

still not working

Here are all of the command that I run after running all of the delete commands

ziti edge create config golanghttp-intercept.v1 intercept.v1 ‘{“protocols”:[“tcp”],“addresses”:[“golanghttp.zitified”], “portRanges”:[{“low”:1280, “high”:1281}]}’

ziti edge create service golanghttp --configs ‘golanghttp-intercept.v1’

ziti edge create service-policy golanghttp-bind-policy Bind --identity-roles ‘@httpzServer’ --service-roles ‘@golanghttp’

ziti edge create service-policy golanghttp-dial-policy Dial --identity-roles ‘@httpzClient’ --service-roles ‘@golanghttp’

I have confirmed that the ZitiMobileEdge app has picked up the new service.

it now shows golanghttp.zitified

and the green dot is showing

One thing that could be the issue… is that I am using Oracle Cloud Infrastructure…

When you setup a compute… you need to setup a VCN… which by default has very limited privileges.

Here are the ingress rules setup

Screen Shot 2022-04-09 at 8.09.21 am2290×874 176 KB

While we are on this… I needed to open port 1281… to set ZITI_EDGE_ROUTER_PORT when doing the QuickStart installation.

When I had this set as 1280… it failed… saying that the listener is already in use.

So… I changed it to 1281 and it worked ok

Maybe this is it… ie… the port short be 1281… but I could not complete the installation using this port.

I can see that I am making a ziti of a mess with this

The listener already in use error would sound like ziti was already running. I don’t expect OCI to be of consequence, you seem to have the inbound traffic rules setup just fine as well.

Why don’t I setup a new instance with a single identity you can use which I know worked for me. Getting that first service to work really is the toughest. I appreciate you sticking through this process.

I’ll establish a new server and I’ll even record the entire video and share it so you can see all the sausage get made. I’ll even give it a shot in OCI. I know it works because the NetFoundry platform deploys routers to Oracle all the time.

It shouldn’t take me terribly long to do once I discover the right place to fire up an OCI vm… Stay tuned…

Awesome… I know I am close… maybe not enough salt

I hit “a lot” of bumps along the way. I have to review/edit the video which I will do a bit later on tonight and I’ll post it back.

There’s a bug with the quickstart which causes the router to only work when you’re local to the oracle environment. The “advertised” value is set to the hostname - which won’t work when you’re remote. that’s a very difficult problem to debug. The router it’s attaching to is in the TUN logs you sent me but it’s hard to spot because it seems ‘normal’…

instance-20220317-1005-edge-router@tls://instance-20220317-1005:1281

notice that it’s defined by “instance-20220317-1005:1281” - that needs to be the ip address… The problem is that the certs generated when you enroll the router won’t have the ip address in them. The video I’ll be sharing with you will have that.

I’ll post back in a bit with a video and with more instructions (dinner time here)…

Ok. I hope this helps… Here are the commands/notes I show in the video. @markamind I think you can start from the bullet labeled “HERE IS THE FIX”.

Things done before the video starts:

• Create VCN

• Create Subnet

• Create Security List

• opened ports 8441-8443

• used netcat nc to very ports were open

• create instance named openziti09b

• opened LOCAL firewall in firewalld with:

    sudo firewall-cmd --zone=public --add-port=8441/tcp --permanent
    sudo firewall-cmd --zone=public --add-port=8442/tcp --permanent
    sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
    sudo systemctl restart firewalld
  

• disable selinux - didn’t troubleshoot but SELINUX prevented the systemd units from working

    sudo cp /etc/selinux/config /etc/selinux/config.back
    sudo sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
    sudo /usr/sbin/setenforce 0
  

• installed golang using instructions from here

• installing golang via that link puts go into /usr/local/go/bin/go, so i also added /usr/local/go/bin/ to my path in .bashrc

• Installed git using:

    sudo dnf install git -y
  

Steps in the video Discourse Help - OCI Quickstart - unlisted - YouTube

• RERAN expressInstall with EXTERNAL_DNS set to the EXTERNAL_IP! This was important - due to Oracle Cloud. Unlike AWS oracle doesn’t give your compute instances a DNS name.

    export EXTERNAL_DNS="$(curl -s eth0.me)"
  

• HERE IS THE FIX the quickstart is putting the hostname into the router configuration. To fix that you need to edit the configuration finding the hostname and replacing it with the external IP address. Then you need to deleting/recreate the edge router. Only do this after successfully running quickstart.

    # set a variable and use this in the next three commands
    routerName=clintozapr09b-edge-router
    
    ziti edge delete edge-router ${routerName}
    ziti edge create edge-router ${routerName} -t -a "public" -o ${routerName}.jwt
    ziti-router enroll ~/.ziti/quickstart/clintozapr09b/${routerName}.yaml -j ${routerName}.jwt
  

• installed ZAC by following the ZAC install guide

Making sure it all works:

Once I had the ZAC running and fixed the bug I was able to verify the golang http example was working by running the zitified server/client and testing with my local browser…

• created four identities: one for the golang server, one for the client, one for my desktop, one for my mobile.

• i enrolled the server/client for immediate use.

• identities were created using -a "http-clients" so that i could make one ‘dial’ policy and use the attribute

    ziti edge create identity service golang.http.server -o $HOME/golang.http.server.jwt
    ziti edge enroll $HOME/golang.http.server.jwt
    ziti edge create identity service golang.http.client -a "http-clients" -o $HOME/golang.http.client.jwt
    ziti edge enroll $HOME/golang.http.client.jwt
    ziti edge create identity service golang.http.desktop.client -a "http-clients" -o $HOME/golang.http.desktop.client.jwt
    ziti edge create identity service golang.http.mobile.client -a "http-clients" -o $HOME/golang.http.mobile.client.jwt
  

• created the one needed config, the service, and two policies…

    ziti edge create config golanghttp-intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["golanghttp.zitified"], "portRanges":[{"low":1234, "high":2345}]}'
    ziti edge create service golanghttp --configs 'golanghttp-intercept.v1'
    ziti edge create service-policy golanghttp-bind-policy Bind --identity-roles '@golang.http.server' --service-roles '@golanghttp'
    ziti edge create service-policy golanghttp-dial-policy Dial --identity-roles '#http-clients' --service-roles '@golanghttp'
  

• cloned the golang sdk for demo use:

  git clone GitHub - openziti/sdk-golang: Ziti SDK for Golang “${ZITI_HOME}/sdk-golang”
  cd “${ZITI_HOME}/sdk-golang/exercises/http/server/zitified”

• ran the zitified simple-server

    go run simple-server.go "$HOME/golang.http.server.json" "golanghttp"
  

• ran the zitified simple-client

    go run simple-client.go $HOME/golang.http.client.json golanghttp
  

• opened this url in desktop browser and saw the expected results

  http://golanghttp.zitified:1234/add?a=1&b=2

Ahh.. awesome..

This reminds me of a situation that happened when I was debugging this issue..

the variables "router_name" and "ZITI_EDGE_ROUTER_RAWNAME" were not set when you reload the env file

Because manually setting the ZITI_EDGE_ROUTER_RAWNAME fixed the symptom.. I did not see how this could be linked back the problem I was debugging

my learning is that I should have also tracked the impact of this down.. something for next time

Re the difference Oracle and AWS.. is interesting.. Oracle keeps all of those DNS names private for compute instances.

Thanks so much for the video.. there was quite a bit to work through.. I have succeeded in each step.. though I found a few more things.. maybe because I am using a mac

#1. enrolling the mobile identity via QR code did not work.. I will send through the logs

#2. the link does not work if you use the https prefix.. but does if you use http..

it would be great if you can provide more details about this

Nice! Success! The "simple server" does not expose TLS. It's an http-only based example.

re: enrolling on iOS. I went through a couple of QR code-based enrollments using the NetFoundry console successfully. I plan to do one using ZAC later today. I see from the APP logs that there was an unexpected error parsing the enrollment response from the Controller - WTF CZiti:ZitiEnroller.swift:200 on_enroll() unable to decode context (WTF stands for “What a Terrible Failure”, and is logged when we see an unexpected code path that we can do nothing other than log a message).

A couple of things:

1. Was Ziti “Connected” when you attempted the enrollment?
2. There is an issue some have reported where Turning Ziti On from Mobile will get stuck in Connecting... If you see this, please Go to Settings/VPN and toggle Status to ON
3. Would you also please check Settings/Privacy/Analytics & Improvements/Application Data and see if you have a report from the time of the failed enrollment request? The file will start with Ziti Mobile Edge-2022

Thanks.

Thanks for the feedback. Makes sense re TLS.. I always wondered what that did.. now I know

This shows that the mobile app was connected to the controller before I attempted to enrol a new identity

Screenshot 2022-04-12 at 9.16.08 am750×1334 62.1 KB

The next step was to create a new identity… and enrol it using the QR code from ZAC

IMG_00041920×2560 516 KB