Controller is not respecting certificate keys in YAML

Support
1

I am using the following YAML file on controller.
On bringing up the controller I notice that on all 3 ports (8440, 8441, 8444) the certificate used is the one that is specified in the outermost identity section. I have double-checked that the certificates are indeed different.

$ ./bin/ziti --version
v1.1.7

v: 3

db: db/ctrl.db

identity:
  cert: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-client-20240806152549.cert
  server_cert: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-server-8440-20240806152549.chain.pem
  key: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/keys/ebea685ad01d442a8515a4f1329d2b8d-server-8440-20240806152549.key
  ca: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549.chain.pem

ctrl:
  listener: tls:192.168.160.10:8440

edge:
  api:
    address: 192.168.150.10:8441
  enrollment:
    signingCert:
      cert: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549.cert
      key: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/keys/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549.key
    edgeIdentity:
      duration: 60m
    edgeRouter:
      duration: 60m

web:
  - name: edge-client-api
    bindPoints:
      - interface: ebea685ad01d442a8515a4f1329d2b8d.pub.zitipoc.com:8441
        address: 192.168.150.10:8441
        identity:
          cert: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-client-20240806152549.cert
          server_cert: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-server-8441-20240806152549.chain.pem
          key: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/keys/ebea685ad01d442a8515a4f1329d2b8d-server-8441-20240806152549.key
          ca: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549.chain.pem
    apis:
      - binding: edge-client

  - name: edge-mgmt-api
    bindPoints:
      - interface: ebea685ad01d442a8515a4f1329d2b8d.mgmt.zitipoc.com:8444
        address: 192.168.170.10:8444
        identity:
          cert: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-client-20240806152549.cert
          server_cert: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-server-8444-20240806152549.chain.pem
          key: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/keys/ebea685ad01d442a8515a4f1329d2b8d-server-8444-20240806152549.key
          ca: pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549.chain.pem
    apis:
      - binding: fabric
      - binding: edge-management
      - binding: health-checks

Certificates:

$ openssl x509 -text -in pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-server-8441-20240806152549.chain.pem | grep -i 'Subje
ct:'
        Subject: C = US, L = IAD, O = OCI, OU = ZTA-POC, CN = ebea685ad01d442a8515a4f1329d2b8d.pub.zitipoc.com

$ openssl x509 -text -in pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-server-8440-20240806152549.chain.pem | grep -i 'Subje
ct:'
        Subject: C = US, L = IAD, O = OCI, OU = ZTA-POC, CN = ebea685ad01d442a8515a4f1329d2b8d.priv.zitipoc.com

$ openssl x509 -text -in pki/ebea685ad01d442a8515a4f1329d2b8d-signing-ca-20240806152549/certs/ebea685ad01d442a8515a4f1329d2b8d-server-8444-20240806152549.chain.pem | grep -i 'Subje
ct:'
        Subject: C = US, L = IAD, O = OCI, OU = ZTA-POC, CN = ebea685ad01d442a8515a4f1329d2b8d.mgmt.zitipoc.com

And on the host:

$ openssl s_client -connect ebea685ad01d442a8515a4f1329d2b8d.pub.zitipoc.com:8441     </dev/null 2>/dev/null | openssl x509 -text| grep 'Subject:'
        Subject: C = US, L = IAD, O = OCI, OU = ZTA-POC, CN = ebea685ad01d442a8515a4f1329d2b8d.priv.zitipoc.com

$ openssl s_client -connect ebea685ad01d442a8515a4f1329d2b8d.mgmt.zitipoc.com:8444     </dev/null 2>/dev/null | openssl x509 -text| grep 'Subject:'
        Subject: C = US, L = IAD, O = OCI, OU = ZTA-POC, CN = ebea685ad01d442a8515a4f1329d2b8d.priv.zitipoc.com
2

I think your identity: block is indented one or two too far... they should be at the indentation level of name, bindPoints, options.

3

Hi @TheLumberjack ,

Per the documentation in:

image
image404×522 7.7 KB

4

:frowning: that's wrong. I'll put a pr up to update it... example of proper indentation generated using ziti create config controller

web:
  # name - required
  # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
  - name: client-management
    # bindPoints - required
    # One or more bind points are required. A bind point specifies an interface (interface:port string) that defines
    # where on the host machine the webListener will listen and the address (host:port) that should be used to
    # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
    # incoming address resolution as well as used in responses in the API.
    bindPoints:
      #interface - required
      # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
      - interface: 0.0.0.0:8441
        # address - required
        # The public address that external incoming requests will be able to resolve. Used in request processing and
        # response content that requires full host:port/path addresses.
        address: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441
    # identity - optional
    # Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
    identity:
      ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-root-ca/certs/ip-172-31-47-200-edge-controller-root-ca.cert"
      key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/keys/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.key"
      server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-server.chain.pem"
      cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-47-200/pki/ip-172-31-47-200-edge-controller-intermediate/certs/ec2-3-18-113-172.us-east-2.compute.amazonaws.com-client.cert"
      #alt_server_certs:
      #- server_cert: ""
      #  server_key:  ""
5

Thanks as always @TheLumberjack :slight_smile:
Confirmed that it works with the change:

$ openssl s_client -connect ebea685ad01d442a8515a4f1329d2b8d.mgmt.zitipoc.com:8444     </dev/null 2>/dev/null | openssl x509 -text| grep 'Subject:'
        Subject: C = US, L = IAD, O = OCI, OU = ZTA-POC, CN = ebea685ad01d442a8515a4f1329d2b8d.mgmt.zitipoc.com

$ openssl s_client -connect ebea685ad01d442a8515a4f1329d2b8d.pub.zitipoc.com:8441     </dev/null 2>/dev/null | openssl x509 -text| grep 'Subject:'
        Subject: C = US, L = IAD, O = OCI, OU = ZTA-POC, CN = ebea685ad01d442a8515a4f1329d2b8d.pub.zitipoc.com
1 Like
6

Thanks for confirming it works. PR is here unindent the identity block to the proper level by dovholuknf · Pull Request #930 · openziti/ziti-doc · GitHub it'll be merged in soon i'm sure. thanks for pointing this out.

EDIT:
fix was rolled out and the page is correct now. thx again