Enrolling an identity on local desktop from a controller in a docker container on a remote server

What am I trying to do

Enroll an identity from a controller in a docker container on a remote server.

  1. I created the identity on the server
  2. I copied the jwt file to my local desktop
  3. I enrolled the jwt file using the Desktop edge app

What happened

It did not connect.

Areas for assistance

Checking if this is possible… maybe there is something that I need to have setup in the Docker container for this to happen.

Let me know if you have any tips.

I don’t quite understand if you are “enrolling an identity from a controller”, IN a docker environment, on a remote server – or – if you are trying to “enroll an identity from a controller in a docker container”, on a remote server. I don’t know if you can see why I’m confused.

Here’s what I feel like you’re doing. I feel like you started the controller in a docker container, and you’re now trying to enroll an identity from that controller on some other server/machine.

This is entirely possible. You will need to expose the controller port. If you look at the compose files which OpenZiti provides, this is done for you. You’ll see port 1280 and port 3022 are exposed in those files. You’ll also need to expose these ports through your host firewall as well.

Where this will break down is in the config of the ziti-controller. You need to inform the controller to advertise a different address. By default, it’ll be using an advertisement of “ziti-edge-controller”. This address is embedded into the jwt which you’re trying to enroll. Then, “remote computer” will try to connect to the controller at “ziti-edge-controller” and it will have no concept of how to resolve “ziti-edge-controller” to the proper ip of “physical machine” (shown below).

Edit the ziti controller config file at /openziti/ziti-edge-controller.yaml and modify

    address: ziti-edge-controller:1280 _____change this_____


  - name: client-management
      - interface:
        address: ziti-edge-controller:1280 _____change this_____

You’ll then stop/start this container without destroying the volume and it should work.

1 Like

Thanks for the details… this is what I needed help with. I am starting to test new ways of working with the controller.

With this in place, I should also be able to access the ZAC panel deep within the Docker container… which is something else I am also going to give a go.

Much appreciated.

The ZAC is also exposed by default in the docker-compose files. If you want to make your docker ZAC dark, you’ll want to “not expose” the UI. glhf

1 Like

Thanks… also realised the importance of changing the admin password for this scenario :slight_smile:

Quick check in to see if I have missed anything…

I am still unable to enroll an identity on my desktop that was created in a controller in the docker container.

steps followed

  1. change admin password
  2. update controller yaml

replace host name with IP address of the server

  1. open ports on firewall and VCN

  2. docker-compose down

  3. docker-compose up -d

  4. create identity, copy to desktop and enrol the identity

For some reason, it is still unable to reach the controller…

Any tips

This is what you need to figure out. The best thing you should do is put your jwt into jwt.io and confirm what the address is from the jwt. Once you know the “iss” (the hostname to contact) you might be able to figure out why it’s not working


1 Like

Getting closer… I made the changes to the controller yaml file.

I also realised that the edge router also needed to be updated… which is probably where the issue is now.

however, when I start / stop docker

  1. the controller yaml file retains the edits
  2. the edge router yaml file reverts back to the original settings

So… rather than try to delete / recreate this edge router… I will just create a second edge router with the right details… and see if that resolves the issue

I got most of the way through creating a second edge router… but then I started to hit different types of errors when I tried to run it… as it could not find the PKI certificates.

So… I thought to check in

While I find it an interesting configuration… its starting to be more work than its worth…

It would be interesting to know if others have this working… and what changes they needed to make.

this sounds like a bug in the docker compose stuff. i bet it’s recreating the router config each time.

1 Like

That is what I have observed…