Looking at your logs, it looks like the ziti-edge-tunnel container can’t contact the controller. That’s usually because the containers aren’t on the same network, but I can see from your command that you put the ziti-edge-tunnel onto the docker: myFirstZitiNetwork … so I don’t think that’s the case.
Let’s peek inside your jwt… can you run something like (assuming you have jq and base64, if not install them or exec into the controller because I know these tools are in that container):
The iss (issuer) field in ther will refer to the controller that created the identity. Can you make sure the ziti-edge-tunnel can access the url specified in there? I just started my own docker environment, so yours might have that exact url.
If the ziti-edge-tunnel container can curl/access that url, then something else is probably happening. It could also be that the jwt has expired. Notice the exp field? That represents the time the JWT will expire.
Let’s start there and see if we can figure out what’s going on.
Thank you very much for the quick reply.
Also thank you for the videos you have posted on openziti. They are very informative and instructive …
Back you the issue… cut -d "." -f2 /path/to/ubuvm.jwt | base64 -d | jq .
{
“em”: “ott”,
“exp”: 1685694888,
“iss”: “https://54.158.154.10:8441”,
“jti”: “c4ac2b46-5ec2-491a-b639-bfbfbf073d7d”,
“sub”: “Qu0KM17H1J”
}
i would like to clarify one thing about the “ziti-edge-tunnel container and the controller” , being on the same network…
a) controller, edge-router are on the aws instance (54.158.154.10) (machine where expressInstall was run. (following the procedure “Host OpenZiti Anywhere”)
b) the ziti-edge-tunnel` container is on a ubuntu machine behind my home router.
c) the windows machine is also behind my home router. This runs the “Ziti Desktop Edge” GUI, and it was able to add the identity windowsweb.jwt
d) from my windows machine i was able to get the json output when pointing to https://54.158.154.10:8441
{“data”:{“apiVersions”:{“edge”:{“v1”:{“apiBaseUrls”: /*snip … */ }
e) “exp” field, like i transfered the .jwt files fast enough (say max 5min), from the aws instance to the local machines (windows,ubuntu) machine.
f) i also tried installing the linux version of ziti-edge-tunnel and copied the identity file to /opt/openziti/etc/identities and restarted ziti-edge-tunnel. This also produced the same error messages (as in the docker case)
pl let me know if my description is clear enough. and if my understanding is correct.
Oh my goodness, I’m sorry. After rereading the issue, I don’t know why I ended up thinking the ziti-edge-tunnel and overlay network were co-located in docker at all. You clearly stated that. My bad! Thanks for the clarification
I think you found a bug in our quickstart!
I checked out the certificate presented by your controller and I think there’s a problem/bug with our quickstart. Looking at the certificate in my browser, going down to “Certificate Subject Alternative Name” I see you have: “DNS Name: 54.158.154.10” (twice) and IP Address: “54.158.154.10” (also twice):
I have definitely seen that situation cause problems in the past and to be honest, I’m surpised the Ziti Desktop Edge for Windows worked…
Steps to reproduce:
I suspect you ran the quickstart with EXTERNAL_DNS set to the address? Is that correct? We’ll have to try this out on our side… @gberl002 can you try setting EXTERNAL_DNS to the same IP and following the quickstart and see what you see when enrolling an identity in Mac/Linux (I can test Windows when you get it setup)
After we test and confirm that it’s a problem, the easiest thing for you to do is to tear things down and reprovision your overlay network. I know that’s a bit of a pain, but getting this PKI right is a really important step and as this is, it’s not right Will that be a big deal?
We’ll try to reproduce the problem, thanks again for the report and stay tuned!
Hi @TheLumberjack
Pl don’t say “your bad”. I guess you would be looking into numerous posts and it quite likely that something in my initial post may not have been explicit, and has been overlooked. i am thankful to you for your detailed replies.
Yes: i ran the quickstart-Host OpenZiti Anywhere
with EXTERNAL_DNS="$(curl -s eth0.me)"
One doubt (may be it will look silly).
a) QuickStart-local-no-docker : This impiles that
Ziti Overlay Network (controller,egde-router), + the zero-trust applications reside on the
same physical machine (eg all in one aws instance)
b) Quickstart-Host OpenZiti Anywhere : This implies that
Ziti Overlay Network (controller,egde-router) resides on one machine (say aws instance 1)
Zero-trust application are hosted on other machine (say aws instance 2) or some machine behind a route (home/organization)
Meanwhile i will do the setup from scratch once again and confirm the same.
thanks again for the time and effort put into answering our queries
It appears this is a bug with the ziti tunneler. I haven’t figured out the exact details but I was able to reproduce the issue when using the IP for both EXTERNAL_IP and EXTERNAL_DNS. I’m still working on figuring out if it’s the duplicated SANs entry or something else but I wanted to provide an update nonetheless.
I’ll continue debugging this and get back to you with a more definitive answer.
Will that be a big deal?