Controller doesn't start after 1.1.7 update

ghibsch · August 13, 2024, 7:28pm

I built my overlay network from the quickstart scripts around version 1.0.0. For fun I downloaded the 1.1.7 binary and dropped it in. My routers start ok but the controller won't start up and drops a hairy error.

panic: could not generate default trust domain: error generating default trust domain from root CA: no root CA detected after chain assembly from the root identity server cert and ca bundle

It seems like that specific check was recently added. I didn't deep-dive into how Go is processing the PKI. Wondering if my quickstart PKI will be unsuitable or if it's some other issue.

qrkourier · August 13, 2024, 7:34pm

v1.1.6 introduced a requirement for a trust domain, and we're finding the default trust domain can't always be generated.

You can work around this by adding a line to your controller configuration YAML file.

trustDomain: my.ziti.cluster.namespace.example.com

This needs to be a unique value that complies with SPIFFE standard for a trust domain. The validation rules are similar to those for DNS names.

ghibsch · August 14, 2024, 1:25pm

Seems like that did the trick. Controller updated to 1.1.7. Thank you!

Topic		Replies	Views
Attempting to use ziti-controller Helm chart: `panic: could not generate default trust domain` Support	5	59	August 6, 2024
PSA - quickstart change for latest tunnelers and c/python/swift/node sdk	12	316	August 26, 2023
Let's Encrypt on Controller General Questions	3	611	February 9, 2023
Problems accessing services after Quickstart General Questions	3	117	May 15, 2024
Reinstalling the Quickstart program Building/Development	7	235	March 31, 2022

Controller doesn't start after 1.1.7 update

Related topics