Hi,
I am currently trying to follow the quick start Host OpenZiti Anywhere | OpenZiti. I am using a dns while setting the environments.
When I finish setting everything up. I go into the console and create a new identity. I download the JWT and tried to connect via the windows tunnel app and I wasn't able.
I analyzed the JWT and I saw the issuer wasn't the dns I set while doing the setup. It was https://openziti:8441 instead of https://mycustomdomain:8441.
Is it normal or I missed something ?
Thank you.
Hi @joseph-salem, welcome to the community and to OpenZiti! (and zrok/BrowZer)
I would expect the issuer to match whatever value you supplied to the ZITI_CTRL_ADVERTISED_ADDRESS
variable prior to running the quickstart.
You can also check the resulting ziti controller config file. Open up $HOME/.ziti/quickstart/$(hostname)/$(hostname).yaml
Find the edge->api->address field and it'll likely be set to what you see in that jwt. For example, from my environment it looks like:
# The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses
# defined in this Controller.WebListener.'s bindPoints.
address: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441
and an enrollment token (jwt) will look like:
cut -d "." bob.jwt -f2 | base64 -d |jq .
{
"iss": "https://ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441",
"sub": "7y7.zaBxk",
"aud": [
""
],
"exp": 1730482407,
"jti": "ef8efc9f-07f3-49a9-9785-4b09c9747307",
"em": "ott",
"ctrls": null
}
You probably want to start over, you want to make sure that you use the actual external address or your whole PKI chain will be broken.
You can confirm things are setup properly by running verify-traffic which will actually use the overlay network.
For example:
ziti ops verify-traffic \
--host localhost \
--port 2001 \
--username admin \
--password admin
success will look like this:
Hi @TheLumberjack ,
Thank you for your feedback. I found that my hostname on the VM wasn't set properly.
After setting it with the same value as the DNS, it worked.