Failed to connect, reason=encryption required on service, terminator did not send public header

Ziti Overlay
1

Hello,

I receive the following error when trying to send a video stream to a service, using the ziti-tunneler :

ERROR ziti-sdk:connect.c:974 connect_reply_c
b() conn[0.0/Connecting] failed to connect, reason=encryption required on service, terminator did not send public header

I have an edge router, a service, a bind and dial config but something is missing.

Policy advisor output :

image
image791×105 3.04 KB

image
image798×158 5.84 KB

My service config:

image
image1068×599 51.6 KB

My router config :

image

Setup :

ziti_diagram
ziti_diagram783×662 48.1 KB

I have installed the ziti-tunnel package on the streaming machine and video server, and enrolled correctly. Everything is docker.

I would greatly appreciate any help ! Thank you

2

Hi @meh, this error caught my eye. Can you run a ziti edge list services via the ziti CLI tool and return the output from that here please?

@scareything or @ekoby, I assume you haven't seen this with any other networks, right?

@meh can you also let us know what tunneler and what version you're running, along with what version ziti-router you're running? Did you create everything via ZAC?

Thanks
-Clint

3

Here’s my services:

ziti@5c0ded251f69:/persistent$ ziti edge list services
╭───────────────────────┬───────────┬────────────┬─────────────────────┬────────────╮
│ ID                    │ NAME      │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│                       │           │  REQUIRED  │                     │            │
├───────────────────────┼───────────┼────────────┼─────────────────────┼────────────┤
│ i4xzD5KWzY1o8OAyZJ9gq │ video.svc │ true       │ smartrouting        │            │
╰───────────────────────┴───────────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1

And both machines (streamer and video server) are running the same tunnel version, I installed it by following your tutorial here : Linux | OpenZiti

root@9066b21429ef:/# ziti-edge-tunnel version
v0.21.5-local

root@5bc98cf7ec6c:/# ziti-edge-tunnel version
v0.21.5-local

I created everything from the CLI

4

I’m trying to create a reproductible guide so here’s what iI did to create my service and identities:

# router identity and enrollement
ziti create config router edge --routerName  ziti-edge-router \
                                --output ziti-edge-router.yaml \
ziti edge create edge-router ziti-edge-router --jwt-output-file ziti-edge-router.jwt --tunneler-enabled
ziti-router enroll ziti-edge-router.yaml --jwt ziti-edge-router.jwt 
[   1.104]    INFO edge/router/enroll.(*RestEnroller).Enroll: registration complete

# video server and streamer identitym config and service
ziti edge create identity user video-server.ziti -o video-server.ziti.jwt
ziti edge create config video.host.v1 host.v1 '{"protocol":"tcp", "address":"'"${video-server.ziti}"'", "port":1935}'
ziti edge create identity user streamers -a 'streamers' -o streamers.jwt 
ziti edge create config streamers.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["video-server.ziti"], "portRanges":[{"low":1935, "high":1935}]}'
ziti edge create service video.svc --configs streamers.intercept.v1,video.host.v1
ziti edge create service-policy streamer.policy.dial Dial --service-roles "@video.svc" --identity-roles '#streamers'
ziti edge create service-policy video.policy.bind Bind --service-roles '@video.svc' --identity-roles "@video-server.ziti"

# enrollement from the  server
ziti-edge-tunnel enroll --jwt ./video-server.ziti.jwt --identity ./video-server.json
# enrollement from the streamer
ziti-edge-tunnel enroll --jwt streamers.jwt --identity streamers.json

More error messages:

n1b-ziti-controller-1                 | [ 565.655]   ERROR edge/controller/handler_edge_ctrl.(*baseRequestHandler).returnError [ch{oSCt9RL5t}->u{classic}->i{03L4}]: {token=[0e044d76-af69-40dc-8d12-2e7225ecfdaa] error=[encryption required on service, terminator did not send public header] routerId=[oSCt9RL5t] operation=[create.circuit]} responded with error
n1b-ziti-edge-router-1                | {"_channels":["establishPath"],"apiSessionId":"clj2x9lzs00fy9dpemnp8h8r9","attemptNumber":"1","binding":"transport","circuitId":"s.4ISDOWo","destination":"tcp:video-server:1935","file":"github.com/openziti/fabric@v0.22.24/router/xgress_transport/dialer.go:79","func":"github.com/openziti/fabric/router/xgress_transport.(*dialer).Dial","level":"info","msg":"successful connection to tcp:video-server:1935 from 172.22.0.2:47930","serviceId":"i4xzD5KWzY1o8OAyZJ9gq","sessionId":"clj2xa1f300gk9dpekla847lj","time":"2023-06-19T13:58:58.491Z"}
n1b-ziti-edge-router-1                | {"_context":"ch{edge}-\u003eu{classic}-\u003ei{nW8D}","chSeq":1,"connId":0,"edgeSeq":0,"error":"encryption required on service, terminator did not send public header","file":"github.com/openziti/edge@v0.24.125/router/xgress_edge/listener.go:185","func":"github.com/openziti/edge/router/xgress_edge.(*edgeClientConn).processConnect","level":"warning","msg":"failed to dial fabric","time":"2023-06-19T13:58:58.492Z","token":"0e044d76-af69-40dc-8d12-2e7225ecfdaa","type":"EdgeConnectType"}
n1b-video-streamer-1                  | (17)[       20.047]   ERROR ziti-sdk:connect.c:974 connect_reply_cb() conn[0.0/Connecting] failed to connect, reason=encryption required on service, terminator did not send public header
n1b-video-streamer-1                  | (17)[       20.047]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: connection is closed
n1b-video-streamer-1                  | [tcp @ 0x557e788ade00] Connection to tcp://video-server.ziti:1935?tcp_nodelay=0 failed: Connection refused
n1b-video-streamer-1                  | [rtmp @ 0x557e788ad700] Cannot open connection tcp://video-server.ziti:1935?tcp_nodelay=0
n1b-video-streamer-1                  | rtmp://video-server.ziti/live/test: Connection refused

Edit:

Ok, I solved the problem but I’m not sure why.

I added the router role attribute “public” and “all” to my edge router, and everything is working.

image

5

Interesting. That's definitely necessary. When you first install things using expressInstall, the process will create an edge router and add #public to that router. That's necessary. All identities must have access to at LEAST one edge router. Somehow, that process must have failed. Looking at the commands you ran, it looks like that's what happened:

ziti edge create edge-router ziti-edge-router --jwt-output-file ziti-edge-router.jwt --tunneler-enabled

You should/could have added a -a public on that command, and that would have added the attribute for you. Then the edge-router-policy would have worked.

What's not clear, is why this manifested with the error:

failed to connect, reason=encryption required on service, terminator did not send public header

Anyway, I'm glad you got things sorted!