How do I get the json file in ntity_file /path/to/ziti/identity1.json;? Is it obtained via ziti-edge-tunnel enroll --jwt http.client.jwt --identity http.client.json? But it is via source /dev/stdin <<< “$(wget -qO- https://get.openziti.io/ziti-cli-functions.sh)”; expressInstall
The openziti service installed with this command does not contain an app.
Hi @roycyz, welcome to the community and to OpenZiti (and zrok/BrowZer)!
The referenced identity file is obtained by creating an identity in the OpenZiti controller and enrolling it. have a look at the doc for more info if you need it Ziti Identities | OpenZiti. Tunneling to NGINX Upstreams | OpenZiti also links to a subsection of this doc.
The qiuckstarts (expressInstall) will deploy a controller and a router for you to use. They are necessary in order to create an identity and for it to be useful.
Hopefully that's enough information to get you going.
Thank you for your reply, here is another question I would like to ask, what is the reason for the error reported here,
the configuration file is as follows
load_module modules/ngx_http_ziti_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
thread_pool ziti threads=32 max_queue=65536;
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://192.168.11.183;
ziti_pass 'xxxxxx';
ziti_identity /opt/nginx/ziti/zb.json;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
In my experience, when you see our logs state something like
request failed: -103(software caused connection abort)
This is generally an active failure, meaning a request was attempted, but it was forcefully rejected. In my experience, a very common cause for this is the identity is simply invalid. For example, the identty json file is not correct for whatever reason.
A simpler way to debug this and let me/us help you would be to use the ziti-edge-tunnel with that identity and see if it will connect. This will rule any nginx stuff from the equation. It will be as simple as installing/downloading ziti-edge-tunnel and running:
ziti-edge-tunnel run -i /opt/nginx/ziti/zb.json
Can you try that? Let's just make sure that identity can connect and if not, make a new identity, and test with ziti-edge-tunnel to ensure it's valid before adding it to nginx. If it works, well then we know we'll need to focus on the nginx part.
Now I start the openziti with the docker.Create the json file follow:
docker exec -it docker-ziti-controller-1 bash
zitiLogin
ziti edge create identity user http-client -a 'http-clients' -o http.client.jwt
ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"web-test-blue", "port":8000}'
ziti edge create service http.svc --configs http.intercept.v1,http.host.v1
ziti edge create service-policy http.policy.dial Dial --service-roles "@http.svc" --identity-roles '#http-clients'
ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles "@ziti-private-blue"
Then I exit the docker. Copied the file to my dir and execute command like:
ziti-edge-tunnel enroll --jwt http.client.jwt --identity http.client.json
ziti-edge-tunnel run -i http.client.json
The error follows:
You are connecting to the controller, and getting an edge router from the controller, which you are then trying to connect to. Is the edge router process running? Does the name ziti-edge-router resolve? Or is the edge listener configured with an IP that is correct and reachable? That info would be in the router's configuration file.
Now I can use it with ziti-edge-tunnel run -i http.client.json.But when I want to connect on windows, I downloaded the desktop-edge-win 2.5.2.8 from the github. Then I add the jwt file there is the error in logfile.
[2025-01-23T05:33:23.325Z] ERROR tlsuv:win32_keychain.c:108 failed to generate key[ziti://wkJ7LlXai@zhibei-virtual-machine:1280]: The object is already exists.
[2025-01-23T05:33:23.325Z] ERROR ziti-edge-tunnel:process_cmd.c:60 tunnel_enroll_cb() enrollment failed: error generating private key(-10)
[2025-01-23T05:33:23.325Z] ERROR ziti-edge-tunnel:process_cmd.c:68 tunnel_enroll_cb() removing failed identity file: c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\http.client.json
And an other error when I excused zitiLogin.
[ 12.377] ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[127.0.0.1:60184] error=[remote error: tls: bad certificate]} handshake failed
Also add the jwt file it's having the same error with different ip.
First, I want to make sure you're not using the same jwt. JWTs are single-use. Assuming you're using a different JWT, it looks like you might be hitting a problem with a feature that was recently introduced - keychain support. Can you share a feedback.zip file by emailing it to clint at openziti.org? I'd like to see a bunch of information that it contains (the zip file). I'm gussing this is a machine that doesn't have a TPM on it?
You can try to disable keychain support for this identity by going to Main Menu -> Advanced Settings -> Tunnel Config -> Use Keychain --> unchecked -> Save
Looks like we might need to change the way this code works to surface an error back to the user or something in this situation.
Thank you for your help.
I did use the same jwt file for the test, and his generated instructions are as follows:
ziti edge create identity user http-client -a 'http-clients' -o http.client.jwt ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}' ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"xxx.xxx.xxx.xxx", "port":8000}' ziti edge create service http.svc --configs http.intercept.v1,http.host.v1 ziti edge create service-policy http.policy.dial Dial --service-roles "@http.svc" --identity-roles '#http-clients' ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles "@http-client" ziti-edge-tunnel enroll --jwt http.client.jwt --identity http.client.json
After modifying according to what you said, there is still an error as follows.
[2025-01-24T02:33:41.274Z] ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[zhibei-virtual-machine:1280] API request[/enroll] failed code[INVALID_ENROLLMENT_TOKEN] message[The supplied token is not valid]
[2025-01-24T02:33:41.274Z] ERROR ziti-sdk:ziti_enroll.c:402 enroll_cb() failed to enroll with controller: https://zhibei-virtual-machine:1280 INVALID_ENROLLMENT_TOKEN[The supplied token is not valid] reason[]
[2025-01-24T02:33:41.274Z] ERROR ziti-edge-tunnel:process_cmd.c:60 tunnel_enroll_cb() enrollment failed: JWT not accepted by controller(-3)
I've tried generating even a file with the following instructions:
ziti edge create identity user http-server -o http-server.jwt
ziti edge create identity user http-client -o http-client.jwt
ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"xxx.xxx.xxx.xxx", "port":8000}'
ziti edge create service http.svc --configs http.intercept.v1,http.host.v1
ziti edge create service-policy http.policy.dial Dial --service-roles "@http.svc" --identity-roles '#http-clients'
ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles "@http-server"
But he can't convert it to a for json file.
This is the feedback.zip file
log.zip (9.0 KB)
Yeah, you can't use the same JWT. JWTs are single use. Once you use them, they become unusable. If you are seeing INVALID_ENROLLMENT_TOKEN, it's almost certainly because it's being used again. If you want to enroll again, you need to make a second identity and enroll that.
When I try to create two jwts just like Your First Service | OpenZiti,I can't create the json files.The error it's (938604)[ 0.000] WARN ziti-sdk:model_support.c:202 model_parse() json parse error: unexpected character.
What can I write about ${http_server_id}? Both http-client and http-server it had the same errors,when I create the json files.
Probably need more details. Can you recap where you're at and what commands you're using or what you did in the zac? You create the json files by enrolling jwts, the one time use tokens you get by creating identities.
I'm just not sure where you're at and what you're trying to do. If you could just let me know exactly where you're at and what you're trying to do I'll try to help out. Cheers
root@zhibei-virtual-machine:/opt/nginx/ziti# ziti edge create identity user http-client -a 'http-clients' -o http.client.jwt
Command "user" is deprecated, this command is deprecated, specifying identity type is no longer required
New identity http-client created with id: UlOPAHcgB
Enrollment expires at 2025-01-26T05:53:03.855Z
root@zhibei-virtual-machine:/opt/nginx/ziti# ziti edge create identity user http-server -o http.server.jwt
Command "user" is deprecated, this command is deprecated, specifying identity type is no longer required
New identity http-server created with id: ZkkPAHc7B
Enrollment expires at 2025-01-26T05:53:11.935Z
root@zhibei-virtual-machine:/opt/nginx/ziti# ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
New config http.intercept.v1 created with id: 2SCnr7azFSYMRmFfmsGpM9
root@zhibei-virtual-machine:/opt/nginx/ziti# ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"192.168.12.207", "port":8000}'
New config http.host.v1 created with id: 5qmwANe5BVDeNxI5NduYBs
root@zhibei-virtual-machine:/opt/nginx/ziti# ziti edge create service http.svc --configs http.intercept.v1,http.host.v1
New service http.svc created with id: 1G68kxApQxKCrERgaK0IQo
These are all my commands aboat create json files.Among other things, about bind command I tried ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles "@http-client",but useless.
Thanks for the extra details. That's really strange.
Is this a local install of OpenZiti or is it public? I'd like to look at the JWT if I could. It's a sensitive token, so if this is a public instance of OpenZiti you shouldn't share it here....
@ekoby is there anything in the screen cap that loks interesting? json parse error: unexpected character
is certainly unexpected.
If you look at the file, does it appear intact?
you're trying to load jwt from /tmp/http.server.jwt
but it is local to /opt/nginx/ziti
, right?
the error is a bit misleading -- because /tmp/http.server.jwt
has two dots it is trying to parse that string as JWT. This happens after it does not find the file with that path