Hi,
I’m trying to achieve what’s in the diagram below :
I did the Oracle Cloud part using the quickstart and now, I’m kinda stuck with the PKI certs creation part in AWS, I’m trying to follow along with the docker-compose you guys made and it’s using these two functions to create the router’s cets :
function createRouterPki {
# Allow router name to be passed in as arg
router_name="${1-}"
if [[ "${router_name}" == "" ]]; then
echo -e " * ERROR: $(RED "routerName needs to be supplied") "
return 1
fi
mkdir -p "${ZITI_PKI_OS_SPECIFIC}/routers/${router_name}"
export ZITI_ROUTER_IDENTITY_CERT="${ZITI_PKI_OS_SPECIFIC}/routers/${router_name}/client.cert"
export ZITI_ROUTER_IDENTITY_SERVER_CERT="${ZITI_PKI_OS_SPECIFIC}/routers/${router_name}/server.cert"
export ZITI_ROUTER_IDENTITY_KEY="${ZITI_PKI_OS_SPECIFIC}/routers/${router_name}/server.key"
export ZITI_ROUTER_IDENTITY_CA="${ZITI_PKI_OS_SPECIFIC}/routers/${router_name}/cas.cert"
pki_client_server "${router_name},localhost,127.0.0.1,$(hostname)" "${ZITI_CONTROLLER_INTERMEDIATE_NAME}" "${ZITI_EDGE_ROUTER_IP_OVERRIDE-}" "${router_name}"
}
function pki_client_server {
allow_list=${1-}
ZITI_CA_NAME_local=$2
ip_local=$3
file_name=$4
if [[ "${ip_local}" == "" ]]; then
ip_local="127.0.0.1"
fi
if ! test -f "${ZITI_PKI}/${ZITI_CA_NAME_local}/keys/${file_name}-server.key"; then
echo "Creating server cert from ca: ${ZITI_CA_NAME_local} for ${allow_list} / ${ip_local}"
"${ZITI_BIN_DIR-}/ziti" pki create server --pki-root="${ZITI_PKI_OS_SPECIFIC}" --ca-name "${ZITI_CA_NAME_local}" \
--server-file "${file_name}-server" \
--dns "${allow_list}" --ip "${ip_local}" \
--server-name "${file_name} server certificate"
else
echo "Creating server cert from ca: ${ZITI_CA_NAME_local} for ${allow_list}"
echo "key exists"
fi
if ! test -f "${ZITI_PKI}/${ZITI_CA_NAME_local}/keys/${file_name}-client.key"; then
echo "Creating client cert from ca: ${ZITI_CA_NAME_local} for ${allow_list}"
"${ZITI_BIN_DIR-}/ziti" pki create client --pki-root="${ZITI_PKI_OS_SPECIFIC}" --ca-name "${ZITI_CA_NAME_local}" \
--client-file "${file_name}-client" \
--key-file "${file_name}-server" \
--client-name "${file_name}"
else
echo "Creating client cert from ca: ${ZITI_CA_NAME_local} for ${allow_list}"
echo "key exists"
fi
echo " "
}
These two functions translates to these commands :
mkdir -p "/home/ubuntu/.ziti/quickstart/instance-20220723-2134/pki/routers/ziti-test-private-router"
export ZITI_ROUTER_IDENTITY_CERT="/home/ubuntu/.ziti/quickstart/instance-20220723-2134/pki/routers/ziti-test-private-router/client.cert"
export ZITI_ROUTER_IDENTITY_SERVER_CERT="/home/ubuntu/.ziti/quickstart/instance-20220723-2134/pki/routers/ziti-test-private-router/server.cert"
export ZITI_ROUTER_IDENTITY_KEY="/home/ubuntu/.ziti/quickstart/instance-20220723-2134/pki/routers/ziti-test-private-router/server.key"
export ZITI_ROUTER_IDENTITY_CA="/home/ubuntu/.ziti/quickstart/instance-20220723-2134/pki/routers/ziti-test-private-router/cas.cert"
ziti pki create server --pki-root="/home/ubuntu/.ziti/quickstart/instance-20220723-2134/pki" --ca-name "instance-20220723-2134-intermediate" --server-file "ziti-test-private-router-server" --dns "ziti-test-private-router,localhost,127.0.0.1" --ip "127.0.0.1,35.180.190.208" --server-name "ziti-test-private-router server certificate"
ziti pki create client --pki-root="/home/ubuntu/.ziti/quickstart/instance-20220723-2134/pki" --ca-name "instance-20220723-2134-intermediate" --client-file "ziti-test-private-router-client" --key-file "ziti-test-private-router-server" --client-name "ziti-test-private-router"
N.B : 35.180.190.208
is my AWS EC2 instance public IP. Correct me if I’m wrong, but I must put the public IP in here (or public External DNS) ?
The problem I’m facing, is that when I look certs of the private routers created by the docker-compose, they’re stored in ZITI_HOME/pki/routers/private_router_name/
. But, when trying with the command above, it doesn’t create this folder. Instead, it’s putting them inside the controller intermediate pki folder.