Enrollment Failed ZDEW

himeose · December 12, 2022, 7:29am

I’ve been following the OpenZiti “Local” tutorial - Docker Compose" Quickstart Overview on YouTube. But I’m unable to enrol the identity.
enrollment failed

After that, I tried to restart my laptop. Then the enrollment identity is there.

Then, I realised it was not the same as in the video. Should be some link of https://ziti-edge-controller:1280… below the http.client

After that, I followed the documentation and added the services. Also did not work, and I still cannot detect the services.

[2022-12-12T04:21:44.811Z]   ERROR ziti-sdk:ziti_enroll.c:219 well_known_certs_cb() D:/a/desktop-edge-win/desktop-edge-win/ziti-edge-tunnel/deps/ziti-tunneler-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:148 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2022-12-12T04:21:44.811Z]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:316 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)

[2022-12-12T04:26:17.870Z]   ERROR ziti-sdk:ziti.c:236 ziti_init_opts() D:/a/desktop-edge-win/desktop-edge-win/ziti-edge-tunnel/deps/ziti-tunneler-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti.c:200 - load_config(options->config, &cfg) => -13 (Configuration is invalid)
[2022-12-12T04:26:17.870Z]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1109 load_id_cb() identity[C:\Windows\system32\config\systemprofile\AppData\Roaming/NetFoundry/http.client.json] failed to load: failed to initialize ziti

Some of the errors are inside the ziti-tunneler.log.

Is there something I’m missing out? Or if I want to start from scratch again, is it fine?

TheLumberjack · December 12, 2022, 12:39pm

Yes that's totally fine. In your home directory, there will be a .ziti directory. You can just stop ziti-controller and ziti-router and then delete that whole $HOME/.ziti directory, exit your shell and then start again. @qrkourier actually has a small guide he's been working on showing people how to do exactly this so it's timely. You can find it here https://openziti.github.io/docs/quickstarts/network/help/reset-quickstart

As for the ZDEW, I would remove that identity by clicking on it and choosing 'forget this identity' and then stop it and start the client. That'll make sure it's cleaned up properly. I think you hit a bug around removing identities which I'll go file.

himeose · December 13, 2022, 2:35am

I still encounter the same problem with the ZDE; the identity would only appear after I disable and enable it again.
I check the log and the error shows the

[2022-12-13T01:24:03.091Z]   ERROR ziti-sdk:ziti_ctrl.c:154 ctrl_resp_cb() ctrl[ziti-edge-controller] request failed: -3008(unknown node or service)
[2022-12-13T01:24:03.091Z]   ERROR ziti-sdk:ziti_enroll.c:219 well_known_certs_cb() D:/a/desktop-edge-win/desktop-edge-win/ziti-edge-tunnel/deps/ziti-tunneler-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:148 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2022-12-13T01:24:03.091Z]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:316 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)

The third error seems like my controller is not available. Moreover, for the next step, we need to zitiLogin. It seems like my zitiLogin says it is not authenticated.

error: unable to authenticate to https://ziti-edge-controller:1280/edge/management/v1. Status code: 401 Unauthorized, Server returned: {
    "error": {
        "code": "INVALID_AUTH",
        "message": "The authentication request failed",
        "requestId": "mU4-aj-nm"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}

But before this, still able to zitiLogin.

TheLumberjack · December 13, 2022, 2:40am

And you’re doing all these steps “relatively” close together? Like within say, five minutes? Can you access https://ziti-edge-controller:1280/version successfully? If not, you need to make sure you update your hosts file. The error almost looks like the jwt is invalid.

If you can access that url, can you send me the jwt to look at? Email clint at openziti.org. Also can you send a feedback zip file? Go to main menu->feeback and send that zip file too?

himeose · December 13, 2022, 3:00am

Already changed that part to 600m since I followed the tutorial. Also, I cannot access the URL. I already sent the mail just now.
To access the URL, do I need to change this one too?

 # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
      - interface: 0.0.0.0:1280
        # address - required

TheLumberjack · December 13, 2022, 3:07am

That's what I expected. I'm glad to see that. Since you're using docker-compose you will need to update your hosts file. In your C:\Windows\System32\drivers\etc\hosts file you need to add:

#local docker-compose
127.0.0.1 ziti-edge-controller
127.0.0.1 ziti-edge-router

Once you do that, you'll be able to access the url https://ziti-edge-controller:1280/version. Then your enrollment should succeed as well.

Let's do these steps:

stop the ZDEW using the big green button
navigate to C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry - if there is a file named http.client.json delete it
update the hosts file as per above
make sure you can access https://ziti-edge-controller:1280/version
start your ZDEW
make a new identity
enroll it

It should succeed. One thing to note is that with this setup, other machines on your local network won't be available unless you update their hosts files too. I don't recommend you do that though, I'd recommend if you get to that point you probably want to deploy your docker-compose environment a bit differently so that other machines on the local network can access the controller and router. I'm assuming you only want to keep it all local though?

You should be able to enroll after doing those steps

TheLumberjack · December 13, 2022, 3:09am

If you’re not aware of it, I’d recommend you read up about what the hosts file is and why you’d want to edit it and why I’m recommending you update it. Check out hosts (file) - Wikipedia for example. It has some decent info.

himeose · December 13, 2022, 3:16am

Do you mean by success access the url it shows like this?

{"data":{"apiVersions":{"edge":{"v1":{"apiBaseUrls":["https://ziti-edge-controller:1280/edge/client/v1"],"path":"/edge/client/v1"}},"edge-client":{"v1":{"apiBaseUrls":["https://ziti-edge-controller:1280/edge/client/v1"],"path":"/edge/client/v1"}},"edge-management":{"v1":{"apiBaseUrls":["https://ziti-edge-controller:1280/edge/management/v1"],"path":"/edge/management/v1"}}},"buildDate":"2022-11-10T14:53:29Z","revision":"807dd591b1f5","runtimeVersion":"go1.19.2","version":"v0.26.11"},"meta":{}}

TheLumberjack · December 13, 2022, 3:16am

Yes. That means you were able to contact the controller. Enrollment should succeed now

himeose · December 13, 2022, 3:27am

It works now. Thank you so much. I’ve been watching and reading a lot of forums to find out why mine still cannot enrol. Have a good day

TheLumberjack · December 13, 2022, 3:27am

Glad we were able to get you going.

Topic		Replies	Views
Using ziti-edge-tunnel enroll Ziti Edge Tunnel	13	266	October 19, 2022
Host OpenZiti Anywhere Unable to enroll Support	9	81	March 22, 2024
Enrollment of Demo Service identity fails	5	169	October 30, 2023
Enrolling an identity on local desktop from a controller in a docker container on a remote server Building/Development	10	245	July 5, 2022
How do I load a pre-enrolled identity in Ziti Desktop Edge for Windows?	12	549	October 19, 2021

Enrollment Failed ZDEW

Related Topics