Docker self hosting: failed to verify certificate: x509: certificate is valid for localhost, ziti.zrok.0101.party, not ziti.share.0101.party

Hello everyone,

I was trying to setup zrok on personal VPS. However, I'm getting the following error in zrok-frontend

docker compose logs zrok-frontend -f

zrok-frontend-1  | RESTY 2024/11/12 15:02:23 ERROR Post "https://ziti.share.0101.party:1280/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for localhost, ziti.zrok.0101.party, not ziti.share.0101.party, Attempt 4
zrok-frontend-1  | RESTY 2024/11/12 15:02:24 ERROR Post "https://ziti.share.0101.party:1280/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for localhost, ziti.zrok.0101.party, not ziti.share.0101.party, Attempt 5
zrok-frontend-1  | error: unable to authenticate to https://ziti.share.0101.party:1280. Error: Post "https://ziti.share.0101.party:1280/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for localhost, ziti.zrok.0101.party, not ziti.share.0101.party

when i look at caddy logs, i see that certificate has been generated for *.proxy.0101.party

caddy-1  | {"level":"info","ts":1731424000.494351,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.share.0101.party"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"jagadeesh@stdin.top"}
caddy-1  | {"level":"info","ts":1731424000.4945266,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.share.0101.party"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"jagadeesh@stdin.top"}
caddy-1  | {"level":"info","ts":1731424000.495182,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2052630727","account_contact":["mailto:jagadeesh@stdin.top"]}
caddy-1  | {"level":"info","ts":1731424000.9182231,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.share.0101.party","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy-1  | {"level":"info","ts":1731424020.083794,"logger":"tls.issuance.acme.acme_client","msg":"authorization finalized","identifier":"*.share.0101.party","authz_status":"valid"}
caddy-1  | {"level":"info","ts":1731424020.086166,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/2052630727/322425139557"}
caddy-1  | {"level":"info","ts":1731424021.1157966,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["*.share.0101.party"],"window_start":1736519279,"window_end":1736692079,"selected_time":1736653743,"recheck_after":1731445621.1157684,"explanation_url":""}
caddy-1  | {"level":"info","ts":1731424021.3899004,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["*.share.0101.party"],"window_start":1736519279,"window_end":1736692079,"selected_time":1736687134,"recheck_after":1731445621.3898566,"explanation_url":""}
caddy-1  | {"level":"info","ts":1731424021.3901203,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/046ffc2c41af80756ebf551b4af21df4d2bd"}
caddy-1  | {"level":"info","ts":1731424021.3981314,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"*.share.0101.party","issuer":"acme-v02.api.letsencrypt.org-directory"}
caddy-1  | {"level":"info","ts":1731424021.4006598,"logger":"tls.obtain","msg":"releasing lock","identifier":"*.share.0101.party"}
caddy-1  | 2024/11/12 15:11:05.475	ERROR	http.log.access.log0	handled request	{"request": {"remote_ip": "106.75.137.67", "remote_port": "12076", "client_ip": "106.75.137.67", "proto": "HTTP/1.1", "method": "GET", "host": "a.share.0101.party", "uri": "/", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"], "Accept-Charset": ["GBK,utf-8;q=0.7,*;q=0.3"], "Accept-Language": ["zh-CN,zh;q=0.8"], "Referer": ["http://b.raimonhd.com"], "Connection": ["close"], "User-Agent": ["Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "a.share.0101.party"}}, "bytes_read": 0, "user_id": "", "duration": 0.012103391, "size": 0, "status": 502, "resp_headers": {"Alt-Svc": ["h3=\":443\"; ma=2592000"], "Server": ["Caddy"]}}

I have initially used *.zrok.0101.party for testing. however, i dont want to stick with that subdomain / namespace. I changed domain in my .env and updated DNS accordingly:

ZROK_DNS_ZONE=share.0101.party

ZROK_USER_EMAIL=jagadeesh@stdin.top
ZROK_USER_PWD=x

ZITI_PWD=x
ZROK_ADMIN_TOKEN=zroktoken

CADDY_DNS_PLUGIN=cloudflare
CADDY_DNS_PLUGIN_TOKEN=x

CloudFlare DNS configuration:

image1440×262 34.1 KB

any help with fixing this issue is appreciated. Thanks.

Hi @jkotra, welcome to the community and to zrok (and OpenZiti/BrowZer)

This is a pretty clear sign to me as to what's going on. When you did this: "I changed domain in my .env and updated DNS accordingly", you will have to regenerate the OpenZiti PKI. The first thing the OpenZiti installations do is establish a full PKI for the zero trust overlay and it's important to have that DNS name correct out of the gate, or the full PKI will be "wrong" if you change the DNS entries.

The easiest thing to do is to start over with your new domain. If you want to do it surgically, we can but I'm fairly confident it'll just be easier to start over.

Lemm know if that's enough information for ya, or not.. Cheers

I was going to say the same thing as @TheLumberjack. You're using Docker Compose, so you can reset the project state by running this before re-running your up command.

docker compose down --volumes

This worked! Thank You.