Connection to wss failed in BrowZer

error: WebSocket connection to 'wss://local-lwj:8447/ws' failed

And my router config is below:

- binding: edge
    address: wss:0.0.0.0:8447
    options:
      advertise: local-lwj:8447
      connectTimeoutMs: 5000
      getSessionTimeout: 60

When i use curl command, curl https://local-lwj:8447, it returns as error "curl: (60) SSL certificate problem: unable to get local issuer certificate". While with param -sk, it returns 404 as respected.

1 Like

Change to advertise: ws.local-lwj:8447 and try again,“browzerexample.demo.openziti.org” represents your domain name

1 Like

Sry,i forgot to modify advertise config. My actual advertise config is local-lwj:8447. And i try to change it to ws.local-lwj:8447, it returns as error "curl: (6) Could not resolve host: ws.local-lwj"

1 Like

Send a screenshot of the "listeners:" section in the router.yaml configuration file.

1 Like

1 Like

For the advertise part, write ws.local-lwj:8447.

After the modification is completed, run "sudo systemctl restart ziti-router", and then run "curl https://ws.${wildcard_url}:8447"

1 Like

I think my error is not because of router.yaml. You can see the screenshot below.

1 Like

404 is expected, and i shows that the config is correct according to browzer example. i think ssl certificate problem causes connect to wss failed

Are your controller and router functioning properly?
curl https://ctrl.${wildcard_url}:${ZITI_CTRL_EDGE_ADVERTISED_PORT}
curl -sk https://${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT}
Can the data be obtained?

1 Like

Yes, my controller works.

Sorry, I don’t know how to find the problem. You can check this video for the process of browZer.

ok,thank for your time.

1 Like

I am also a developer. I just ran through browZer some time ago, but the details still cannot be solved. Wait for a professional developer to reply to you, and they will be able to locate the problem quickly.

1 Like

Hi @VikiLee, welcome to the community and to OpenZiti and BrowZer!

Since you are getting a reponse when using curl -sk, it makes me think your certificate is invalid. Looking at the advertise address provided, it looks like a hostname and not a valid domain name.

When using browzer, you'll need a certificate valid for a domain from a third-party CA like LetsEncrypt. Take my browzer install for example. The router will advertise like this:

  - binding: edge
    address: wss:0.0.0.0:8505
    options:
      advertise: wss.clint.demo.openziti.org:8505
      connectTimeoutMs: 5000
      getSessionTimeout: 60

see how i have a fully qualified domain name there? Then when you probe this router port with openssl , you MUST get a certificate back that is valid for that domain. For example, you can probe my router using:

openssl s_client -connect router.clint.demo.openziti.org:8505 -alpn http/1.1 2>&1 </dev/null | \
  openssl x509 -text | \
  grep clint
        Subject: CN = *.clint.demo.openziti.org
                DNS:*.clint.demo.openziti.org

See how my Subject and DNS are valid for wildcard *.clint.demo.openziti.org? You'll need to get that far or BrowZer will never work.

I assume you found and are following the walkthrough here? Example Enabling BrowZer | OpenZiti

Does that help any?

Thanks for spending time for my question.
I just use my local machine to develop, so i don't have a domain.
So can i use Self-signed certificate in my localhost to make my websocket work? If the solution could be worked, how to config my router.yaml?
Looking forward to your reply

You're trying to use Browzer locally? Is that correct? I've never set it up that way. I don't know if @curt has any instructions to follow for local dev. You could probably get it working by adding the ca from OpenZiti to your browser so the cert is trusted, but I don't have any experience with a local Browzer install like that...

I remember trying it, but don't remember the details. The certificate must use the security certificate requested by certbot, which means you need an external domain name and a matching wildcard certificate, then use this domain name during the browZer installation process, and then map the domain name to the local IP in local /etc/hosts

Yes. As screenshot below, i think it is correct. when i use curl -sk https://local-lwj:8447,it returns a message 404 as Example Enabling BrowZer | OpenZiti , it explained websoket is worked.

Using curl -sk -- is a problem. The -k puts curl into "insecure" mode. If you need to use -k with curl, it won't work with browzer. You need to add the CA to your local browser -- or maybe even the local OS. We need @curt to comment on if we have a "all local" type of install. You need to have the PKI setup properly and trusted and it's easy to get wrong. Diagnosing 'why' is delicate and tricky if you're not really well-versed with how PKI works in general.

I'm not 100% certain about it, but i'm "pretty sure" that curl and your browzer will need to be able to verify the certificate, or it won't work.

I got!I just don't understand which CA should I add to my local browzer or local OS. I hvae looked forward to my ziti folder 'pki', and try all CAs, but it does't resolve the problem.