Giving HA a try.. I must have done something wrong here. Not exactly sure if its on the ctrl2 side or if it was while adding to the cluster from ctrl1. ctrl2 is online as a uninitialized node. Appreciative of any assistance..
If you add a node using ziti agent cluster add <addr>, you won't encounter this, as it will reach out to the node before adding it, to get the id. This will only work if the address is valid, so any mistakes will be caught before the node is added.
To recover from this situation I'd take the following steps:
Make a db snapshot: ziti fabric db snapshot.
Shut ctrl1 down.
Copy the db snapshot to a safe location
Make a backup of the cluster data directory
Delete the cluster data directory. This will wipe your raft journal and database.
Update the controller config db: parameter to point to the snapshot database.
Start the controller. It will initialized using the snapshot db, but ctrl2 won't be a member.
Re--add ctrl2, this time not specifying --id, to make sure you're proving the correct address
a. something like:ziti agent cluster add tls:ctrl2.a.internal:443
Thanks That was it and the steps worked perfectly! Turns out I had to adjust my cert configs in conf.yml too, the HA example configs in git helped me sort that out. Very neat and while setup may seem a little daunting at first, things do start to "make sense".
I know HA is new so no expectations but is Windows client + Ext JWT auth compatible? Seem to be seeing some sort of success in the initial auth, with my test service listed but I'm not able to connect. On my edge router I am seeing "invalid client certificate for api session" "failure accepting channel edge with underlay".
Not sure if I fixed my PKI or if the latest Ziti updates helped, but thought I'd mentioned I was able to get ext jwt auth with HA working, no longer seeing the invalid cert issues as I mentioned in my last comment Though I'm hoping the visualizer feature in ZAC isn't compatible with HA because it seems to be showing more errored links then one would hope for..