Docker Compose Quickstart fails with TLS error and "unable to connect to any controllers"

Hi there,

I was playing with OpenZiTi earlier in Docker on Windows and kept hitting certificate errors in the quick start tutorial for Docker Compose. Are there any known issues with this at the moment?

Here’s the guide I’m using: Local - Docker Compose | OpenZiti

Here’s the error I get.

I also tried the simpler config at

That had the same error and none of the edge routers came online in both cases.

I’ve tried with and without the sec comp workaround - no change.
- seccomp:unconfined

Any thoughts on how to solve this?

Hi @CloudTester, welcome to OpenZiti and welcome to the community!

We (ok, I did) just updated the docker files. It’s possible our doc is out of date or incomplete, yeah. Let me give that doc a try (on linux first) and I’ll report back.

@gberl002 fyi in case you hit something like this.

Yes, can confirm, I broke something. Give me a bit, I’ll fix this up quickly for ya…

Hi @CloudTester. I think we got things sorted. I’ve pushed a new docker image.

Can you do the following:

Start off by getting the .env file from a slightly different location from the standard location: This is a temporary solution until I can get the official location updated. If you look at the file, you’ll see the only difference is the uncommented:


Grab the .env file:


  • docker compose --project-name docker down -v (this will remove any old docker compose remnants)
  • docker compose --project-name docker pull (pull the latest image)
  • docker compose --project-name docker up

At that point, the overlay should come up and work properly.

Sorry, we’re working on these files lately and caused a bug in the process. Have a nice weekend!

1 Like

Thanks for all your help @TheLumberjack . I got it working now as per the guide. Initially it didn’t work until I uncommented those lines above in the .env file.

One further question - is it possible to set up the docker-compose ZiTi network so you can import a JWT identity into the windows tunneler? - I would like to show access to the web-test-blue web server from my endpoint (whilst docker port is not exposed) to prove the full “access via ZiTi” use case - I tried and I get an error:

Tunneler gives this error in the UI and then doesn’t show the new identity sometimes, and other times it shows the identity but never finds the service (service count always stays 0 on the identity).

I thought it might be a DNS issue so I remapped the docker dns names for the edge router and controller to localhost in windows host file. I also added the CA certificate to trusted root CAs on my endpoint so SSL works. I can browse to the controller web UI via docker exposed ports and export the JWT that way, or via the CLI from inside the controller itself

docker exec -it docker-ziti-controller-1 bash


Few guesses for the error. First is that you deleted the identity and used an old token (jwt), second is that the jwt expired.

Showing 0 is fine. I expect the issue there is your service policies aren’t correct and you have no “dial” policy granting the identity access to any services.

If the UI enrolls and you see it, it succeeded. The Zac should also show you the identity with 1 or 2 green circles/bubbles then as well.

I got it going. I checked out the repo and used the latest .env and docker-compose. I have a working controller and zac now. That’s pretty cool.

Next step is to add a service. Thanks for all the help so far.