Please don't mind me thinking out loud here 
I am trying to think a bit outside the box to find the cause of this, since it seems we are seemingly the only ones with this issue? That must mean we do something differently than most other users.
I can't think of any edge case except that the controller is quite old (2022) and I pushed it to the new versions regularly. Maybe there's something in the certificates that lost compatibility in the meantime?
I am quite certain the breaking point for us is oidc auth. With tunnelers v.1.5.4 that don't yet support the edge-oidc endpoint we don't have this issue.
Also, our ZDE on Mac always use legacy auth even though the controller should support it: Mac Ziti Desktop Edge randomly loosing authentication - #2 by scareything
hm...
zt.yaml
v: 3
db: "/home/ziti/.ziti/quickstart/zt/db/ctrl.db"
identity:
cert: "/home/ziti/.ziti/quickstart/zt/pki/zt-intermediate/certs/zt-client.2023-17-10.cert"
server_cert: "/home/ziti/.ziti/quickstart/zt/pki/zt-intermediate/certs/zt-server.2023-10-16-2734.chain.pem"
key: "/home/ziti/.ziti/quickstart/zt/pki/zt-intermediate/keys/zt-server.key"
ca: "/home/ziti/.ziti/quickstart/zt/pki/cas.pem"
alt_server_certs:
- server_cert: "/home/ziti/.ziti/quickstart/zt/le-cert-renewal/certs/live/le.zt.company.com/fullchain.pem"
server_key: "/home/ziti/.ziti/quickstart/zt/le-cert-renewal/certs/live/le.zt.company.com/privkey.pem"
trustDomain: "company.com"
ctrl:
listener: tls:0.0.0.0:8440
mgmt:
listener: tls:0.0.0.0:10000
healthChecks:
boltCheck:
interval: 30s
timeout: 20s
initialDelay: 30s
edge:
api:
sessionTimeout: 30m
address: zt.company.com:8441
enrollment:
signingCert:
cert: /home/ziti/.ziti/quickstart/zt/pki/zt-signing-intermediate/certs/zt-signing-intermediate.cert
key: /home/ziti/.ziti/quickstart/zt/pki/zt-signing-intermediate/keys/zt-signing-intermediate.key
edgeIdentity:
duration: 180m
edgeRouter:
duration: 180m
web:
- name: client-management
bindPoints:
- interface: 0.0.0.0:8441
address: zt.company.com:8441
identity:
ca: "/home/ziti/.ziti/quickstart/zt/pki/zt.company.com-intermediate/certs/zt.company.com-intermediate.cert"
key: "/home/ziti/.ziti/quickstart/zt/pki/zt.company.com-intermediate/keys/zt.company.com-server.key"
server_cert: "/home/ziti/.ziti/quickstart/zt/pki/zt.company.com-intermediate/certs/zt.company.com-server.2023-10-16-2734.chain.pem"
cert: "/home/ziti/.ziti/quickstart/zt/pki/zt.company.com-intermediate/certs/zt.company.com-client.2023-10-17-3103.cert"
alt_server_certs:
- server_cert: "/home/ziti/.ziti/quickstart/zt/le-cert-renewal/certs/live/le.zt.company.com/fullchain.pem"
server_key: "/home/ziti/.ziti/quickstart/zt/le-cert-renewal/certs/live/le.zt.company.com/privkey.pem"
options:
readTimeout: 5000ms
writeTimeout: 100000ms
minTLSVersion: TLS1.2
maxTLSVersion: TLS1.3
apis:
- binding: edge-client
options: { }
- binding: edge-oidc
options: { }
- binding: edge-management
options: { }
- name: management
bindPoints:
- interface: 127.0.0.1:18441
address: zt.company.com:18441
identity:
ca: "/home/ziti/.ziti/quickstart/zt/pki/zt.company.com-intermediate/certs/zt.company.com-intermediate.cert"
key: "/home/ziti/.ziti/quickstart/zt/pki/zt.company.com-intermediate/keys/zt.company.com-server.key"
server_cert: "/home/ziti/.ziti/quickstart/zt/pki/zt.company.com-intermediate/certs/zt.company.com-server.2023-10-16-2734.chain.pem"
cert: "/home/ziti/.ziti/quickstart/zt/pki/zt-intermediate/certs/zt-client.2023-17-10.cert"
options:
readTimeout: 5000ms
writeTimeout: 100000ms
minTLSVersion: TLS1.3
maxTLSVersion: TLS1.3
apis:
- binding: edge-management
options: { }
- binding: zac
options:
location: /home/ziti/.ziti/quickstart/zt/ziti-console
indexFile: index.html
- binding: fabric
options: { }
metrics:
reportInterval: 20s
events:
edgeSessionLogger:
subscriptions:
- type: edge.sessions
include:
- created
handler:
type: file
format: json
maxsizemb: 50
maxbackups: 2
path: /var/log/ziti/edge-sessions.log```