I follow the quickstart to set up a local - no docker network,and ZAC was successfully.
But when I Enrolling the identity for ziti Desktop Edgeford Windos, its wrong
service logs
[2024-05-30T07:52:45.059Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ChanDa] request failed: -4039(connection timed out)
[2024-05-30T07:52:45.059Z] ERROR ziti-sdk:ziti_enroll.c:221 well_known_certs_cb() D:/a/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:139 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2024-05-30T07:52:45.059Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:319 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
The identity is simply set with an attribute
I saw a similar problem,but the difference is that I'm not using docker
Enrollment Failed ZDEW - Tunneler Apps / Ziti Desktop Edge for Windows - openziti
Hi @git321906241, welcome to the community and to OpenZiti!
The failed to enroll ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed) makes me think the PKI is somehow incorrect.
Can you describe where the controller is installed? Is it in WSL or is it on a linux machine somewhere or something else entirely? How'd you install it?
Could you try using the ziti cli to enroll a test identify first and see what it returns? You would just run:
ziti edge create identity test-enroll -o test-enroll.jwt
ziti edge enroll test-enroll.jwt
You SHOULD see something like this (then you can just delete this identity):
INFO generating 4096 bit RSA key
INFO enrolled successfully. identity file written to: test-enroll.json
If you don't please show me the output? Let's take the ZDEW out of the picture, it's a bit easier to use the ziti CLI to test/debug here.
Thanks for your reply, my controller installs on WSL, i use the ziti cli to enroll a identify,the expected results were returned
INFO generating 4096 bit RSA key
INFO enrolled successfully. identity file written to: test-enroll.json
I tested it with other devices.Both computers in the same LAN can successfully enroll identities, but the host of WSL or cloud server both can't enroll identities, and my WSL, host, and cloud server firewall have been turned off,do you have any suggestions?
From the windows computer, what is the hostname/FQDN that it uses to connect to the controller? For example, on my computer when I run ziti in docker (through WSL), from my command prompt I access the controller with:
C:\Users\clint>curl -sk https://sg4u22wsl.parkplace-via-dhcp:12000
which returns some json for me
{"data":{"apiVersions":{"edge":{"v1":{"apiBaseUrls":["https://sg4u22wsl.parkplace-via-dhcp:12000/edge/client/v1"],"path":"/edge/client/v1"}},"edge-client":{"v1":{"apiBaseUrls":["https://sg4u22wsl.parkplace-via-dhcp:12000/edge/client/v1"],"path":"/edge/client/v1"}},"edge-management":{"v1":{"apiBaseUrls":["https://sg4u22wsl.parkplace-via-dhcp:12000/edge/management/v1"],"path":"/edge/management/v1"}}},"buildDate":"2024-04-10T19:42:37Z","capabilities":[],"revision":"a3186132e5eb","runtimeVersion":"go1.22.2","version":"v1.0.0"},"meta":{}}
That domain name needs to show up in your controller's cert. The easiest way to check that imo is using your browser. You need to check the "Certificate Subject Alternate Name" and you need a "DNS Name" that matches.
Can you confirm that your windows machine can get to that controller in the browser and that you see a DNS Name that matches the url you go to? (as I show)
there is json
{"data":{"apiVersions":{"edge":{"v1":{"apiBaseUrls":["https://ChanDa:1280/edge/client/v1"],"path":"/edge/client/v1"}},"edge-client":{"v1":{"apiBaseUrls":["https://ChanDa:1280/edge/client/v1"],"path":"/edge/client/v1"}},"edge-management":{"v1":{"apiBaseUrls":["https://ChanDa:1280/edge/management/v1"],"path":"/edge/management/v1"}}},"buildDate":"2024-04-10T19:42:37Z","capabilities":[],"revision":"a3186132e5eb","runtimeVersion":"go1.22.2","version":"v1.0.0"},"meta":{}}
I can't get to the controller like https://ChanDa:1280 in the browser
That's what I was afraid of/expected. If you're running ziti inside WSL, you'll have to figure out how to get wsl and windows to play nicely together. I won't lie -- it's sort of a pain even for me. Nothing ziti related, just all about how Microsoft implemented WSL. Me personally, I use their undocumented "bridge" network feature of WSL and I also have a pi.hole that controls my local DNS but that's all... "work"... I find it useful, but it's all stuff that's outside of anything OpenZiti....
I would recommend you either:
- install ziti on a different computer in your local network (then routing won't be an issue)
- install a VM with hyper-v or oracle virtual box and use one of THOSE VM's in "bridge" mode
- install ziti somewhere else outside your network on a free VPS like oracle, or a cloud server you have
- make it only work for you workstation by using the hosts file in windows and have it point ChanDa to 127.0.0.1
The problem right now is the WSL hostname ChanDa is not resolvable by windows...
You need to get that working first though
I replaced the device and installed Linux, successfully accessed the controller, "Certificate Subject Alternate Name" is correct, ECS in the Internet still cannot enroll their identities, what should I do next
You need to look at the logs and find the error. it should be obvious, but if it's not obvious, post them here.
[2024-06-03T02:04:42.484Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[chanda-ThinkBook-16-G4-IAP] request failed: -3008(unknown node or service)
[2024-06-03T02:04:42.484Z] ERROR ziti-sdk:ziti_enroll.c:221 well_known_certs_cb() D:/a/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:139 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2024-06-03T02:04:42.484Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:319 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
"unknown node or service",this is a different departure from the previous mistake, the problem appears to be that the public network cannot resolve the private DNS, do I need to change the configuration to map the controller service to the Internet?
Yes, "unknown node or service" in my experience, means the computer cannot resolve the DNS entry
do I need to change the configuration to map the controller service to the Internet?
Does this mean you're deploying in kubernetes? I can't really tell you "what" needs to happen there but I can tell you that the ZDEW (ziti desktop edge for windows) needs to be able to:
- resolve the "advertised" address of the controller
- be able to connect to the controller client http api
- resolve the "advertised" address of at least one edge router
- be able to connect to the edge port advertised by the edge router
