Sorry Shawn, just one thing: what should I put instead of "site2.mydomain.eu" for the NVR and the client? Any fqdn is relevant? Should it exist in any DNS database?

Those fqdns in the intercept.v1 addresses can be any hostname at all that you want to access the service by. It doesn’t need to be a publicly resolvable hostname, but if the server that you’re connecting to at the other end is presenting a certificate then you’ll want to use a name that’s in the server certificate’s SAN list.

Well, I thought hat certificates were mandatory in Ziti, as explained in the Quickstart doc about integrated PKI.

They are. The tunnelers, edge routers, and controllers all trust each other mutually with their own certificates. This is basically what you’re doing when you enroll routers and identities.

Any certificates that your application uses or doesn’t use is none of our business. We just proxy data from one place to another. If that data happens to include a tls handshake then we are none the wiser. But if your app is using certificates, then you’ll want to access it with a hostname that checks out when the browser or whatever the client is tries to validate the certificate.

Ok, so when you was talking on certificates, you was not including the ones used for mTLS, correct?

Correct, I was not referring to the certificates in OpenZiti's integrated PKI.

I was just saying that if clients of your application/web server/nvr/etc verify a certificate that the server presents then you'll need to choose the intercept.v1 addresses accordingly, or else the browser, etc. will complain that the server you connected to doesn't have a valid certificate for the hostname that you used to connect to it. The certificate that I'm talking about here would be something that I'd think your company would install or assist customers with installing on the NVR itself.

Hello Team, good morning,

I'm feeling more comfortable with Ziti now and I can move forward with the tests. Thanks again for your help. Just have 2 questions about cli and ziti console login.

1. Is it possible to increase timeout value before disconnection for cli and web console ?
2. When I launch Web console, the routeur list is hidden, I see only login and password fields and when I click on login, I get "Unable to login to selected edge controller" message. Then I must enter router name and url. If I restart the ziti-console service, then I see the router list again and it's much easier. Is there a way to retain the router details or to always see the router list?

I think it's tied to sessions in general so you will affect it not only for CLI/Web Console but for all devices/identities everywhere. But, as long as you're using the session it should stay alive, so if you just make a request once in a while it will remain active. The setting should be in edge.api.sessionTimeout and defaults to 30m

As for your "bullet item #2" -- that seems like a terrible experience. Could you make a new discourse post on this topic? That seems like some kind of strange UI flow that's just not working out. Please detail what your steps to reproduce it are as well and I'm sure @rgalletto will see it...

Sure, I will do this.

@Eric Just curious, is your instance of ziti-console up to date with the latest changes? The issue highlighted in item #2 should hopefully have been resolved in the most recent build.

It's certainly possible though that it's still lingering somehow. If you are running the latest and still able to reproduce please let us know (with your reproduction steps) and we'll take a closer look. Thanks!

Hi Ryan,

I see that I don't use the last version of ziti-console. I tried to upgrade it by using some commands from the Quickstart guide but I failed to do it. Is there a procedure somewhere to explain the process?

Please tell us how it failed. Are the any errors or output that seems relevant? It's hard to help without context of how it failed

Hello Team,
To install last version of Ziti console, I did this:

• I renamed the folder ziti-console to ziti-console.old
• I created a new ziti-console folder and went into it"
• I launched git clone GitHub - openziti/ziti-console .
• npm install
• ng build ziti-console-lib : the I got many errors

I guess this is not a good process.

Hi @Eric,

Unfortunately "got many errors" doesn't give us any useful information to try to help you. Can you provide the errors/output you saw?

Are you sure you're using the minimum versions specified in the readme? You successfully installed it before, right?

Hi Clint,

Here is what happens:

eric@ziti:/opt/ziti$ mv ziti-console ziti-console.old
eric@ziti:/opt/ziti$ mkdir ziti-console
eric@ziti:/opt/ziti$ cd ziti-console

eric@ziti:/opt/ziti/ziti-console$ git clone GitHub - openziti/ziti-console .
Clonage dans '.'...
remote: Enumerating objects: 5243, done.
remote: Counting objects: 100% (2538/2538), done.
remote: Compressing objects: 100% (1041/1041), done.
remote: Total 5243 (delta 1689), reused 2170 (delta 1461), pack-reused 2705
Réception d'objets: 100% (5243/5243), 15.00 Mio | 23.63 Mio/s, fait.
Résolution des deltas: 100% (3212/3212), fait.
eric@ziti:/opt/ziti/ziti-console$

eric@ziti:/opt/ziti/ziti-console$ npm install
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated @babel/plugin-proposal-unicode-property-regex@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-unicode-property-regex instead.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated @babel/plugin-proposal-async-generator-functions@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-async-generator-functions instead.
npm WARN deprecated domexception@2.0.1: Use your platform's native DOMException instead
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated ng-click-outside@9.0.1: ng-click-outside is no longer maintained. See Deprecation of ng-sidebar, ng-click-outside, and ng-inline-svg · Issue #229 · arkon/ng-sidebar · GitHub
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See There’s Math.random(), and then there’s Math.random() · V8 for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see Request’s Past, Present and Future · Issue #3142 · request/request · GitHub
npm WARN deprecated @wessberg/ts-evaluator@0.0.27: this package has been renamed to ts-evaluator. Please install ts-evaluator instead

added 1318 packages, and audited 1582 packages in 1m

135 packages are looking for funding
run npm fund for details

6 moderate severity vulnerabilities

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run npm audit for details.
eric@ziti:/opt/ziti/ziti-console$

eric@ziti:/opt/ziti/ziti-console$ npm fund
io.netfoundry.zac@3.0.8
├── Sponsor @philsturgeon on GitHub Sponsors · GitHub
│ └── @apidevtools/json-schema-ref-parser@10.1.0
├── Sponsor @epoberezkin on GitHub Sponsors · GitHub
│ └── ajv@8.12.0
├─┬ GitHub - inikulin/parse5: HTML parsing/serialization toolset for Node.js. WHATWG HTML Living Standard (aka HTML5)-compliant.
│ │ └── parse5@7.1.2, parse5-html-rewriting-stream@7.0.0, parse5-sax-parser@7.0.0
│ └── GitHub - fb55/entities: encode & decode HTML & XML entities with ease & speed
│ └── entities@4.5.0
├── immer - Open Collective
│ └── immer@9.0.21
├── GitHub - chalk/ansi-styles: ANSI escape codes for styling strings in the terminal
│ └── ansi-styles@4.3.0
├── Sponsor @sindresorhus on GitHub Sponsors · GitHub
│ └── p-limit@2.3.0, p-map@4.0.0, defaults@1.0.4, make-dir@4.0.0, binary-extensions@2.3.0, globby@13.2.2, slash@4.0.0, open@8.4.2, is-docker@2.2.1, ora@5.4.1, cli-spinners@2.9.2, is-unicode-supported@0.1.0, log-symbols@4.1.0, import-fresh@3.3.0, parse-json@5.2.0, get-stream@6.0.1, is-stream@2.0.1, is-plain-obj@3.0.0, pretty-bytes@5.6.0, ansi-escapes@4.3.2, type-fest@0.21.3, figures@3.2.0, onetime@5.1.2, is-builtin-module@3.2.1, builtin-modules@3.3.0
├── Sponsor @feross on GitHub Sponsors · GitHub
│ └── safe-buffer@5.2.1, buffer@5.7.1, base64-js@1.5.1, ieee754@1.2.1, run-parallel@1.2.0, queue-microtask@1.2.3
├── GitHub - chalk/chalk: 🖍 Terminal string styling done right
│ └── chalk@4.1.2
├── Sponsor @sibiraj-s on GitHub Sponsors · GitHub
│ └── ci-info@4.0.0
├── Sponsor @isaacs on GitHub Sponsors · GitHub
│ └── glob@10.3.12, minimatch@9.0.4, path-scurry@1.10.2, minimatch@9.0.3, json-stringify-nice@1.1.4, promise-all-reject-late@1.0.1, promise-call-limit@1.0.2, rimraf@3.0.2
├── GitHub - chalk/supports-color: Detect whether a terminal supports color
│ └── supports-color@9.4.0, supports-color@8.1.1
├── Sponsor @ljharb on GitHub Sponsors · GitHub
│ └── is-core-module@2.13.1, function-bind@1.1.2, shell-quote@1.8.1, resolve@1.22.2, supports-preserve-symlinks-flag@1.0.0, qs@6.11.0, side-channel@1.0.6, call-bind@1.0.7, define-data-property@1.1.4, gopd@1.0.1, has-property-descriptors@1.0.2, get-intrinsic@1.2.4, has-proto@1.0.3, has-symbols@1.0.3, object-inspect@1.13.1, minimist@1.2.8
├── https://opencollective.com/babel
│ └── @babel/core@7.23.2
├─┬ PostCSS and Autoprefixer - Open Collective
│ │ └── autoprefixer@10.4.14, postcss@8.4.31
│ ├── Browserslist - Open Collective
│ │ └── caniuse-lite@1.0.30001605, browserslist@4.23.0, update-browserslist-db@1.0.13
│ └── Sponsor @rawify on GitHub Sponsors · GitHub
│ └── fraction.js@4.3.7
├── Paul Miller — Funding and donations
│ └── chokidar@3.5.3
├── https://opencollective.com/webpack
│ └── copy-webpack-plugin@11.0.0, css-loader@6.8.1, less-loader@11.1.0, mini-css-extract-plugin@2.7.6, postcss-loader@7.3.3, sass-loader@13.3.2, source-map-loader@4.0.1, webpack@5.88.2, schema-utils@3.3.0, terser-webpack-plugin@5.3.10, webpack-dev-middleware@6.1.2, webpack-dev-server@4.15.1, webpack-dev-middleware@5.3.4, schema-utils@4.2.0
├── Sponsor @jonschlinkert on GitHub Sponsors · GitHub
│ └── picomatch@2.3.1
├── GitHub - vitejs/vite: Next generation frontend tooling. It's fast!
│ └── vite@4.5.2
├── https://opencollective.com/core-js
│ └── core-js-compat@3.36.1
├── GitHub - sindresorhus/find-cache-dir: Finds the common standard cache directory
│ └── find-cache-dir@3.3.2
├─┬ Sponsor @fb55 on GitHub Sponsors · GitHub
│ │ └── css-select@5.1.0, css-what@6.1.0, domelementtype@2.3.0
│ ├── GitHub - fb55/domutils: Utilities for working with htmlparser2's DOM
│ │ └── domutils@3.1.0
│ └── GitHub - fb55/nth-check: Parses and compiles CSS nth-checks to highly optimized functions.
│ └── nth-check@2.1.1
├── GitHub - cheeriojs/dom-serializer: render dom nodes
│ └── dom-serializer@2.0.0
├── GitHub - fb55/domhandler: Handler for htmlparser2, to get a DOM
│ └── domhandler@5.0.3
├── GitHub - fb55/htmlparser2: The fast & forgiving HTML and XML parser
│ └── htmlparser2@8.0.2
├── GitHub - wessberg/ts-evaluator: An interpreter for Typescript that can evaluate an arbitrary Node within a Typescript AST
│ └── @wessberg/ts-evaluator@0.0.27
├── Sponsor @mesqueeb on GitHub Sponsors · GitHub
│ └── copy-anything@2.0.6
├── Sponsor @gjtorikian on GitHub Sponsors · GitHub
│ └── isbinaryfile@4.0.10
└── UAParser.js - Open Collective
└── ua-parser-js@0.7.37

eric@ziti:/opt/ziti/ziti-console$

eric@ziti:/opt/ziti/ziti-console$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit No fix available for request@*
npm WARN audit Updating @angular/cli to 16.2.13, which is outside your stated dependency range.
npm WARN audit Updating @angular-devkit/build-angular to 17.3.3, which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @angular-devkit/build-angular@17.3.3
npm WARN Found: @angular/compiler-cli@16.2.12
npm WARN node_modules/@angular/compiler-cli
npm WARN peer @angular/compiler-cli@"^16.0.0 || ^16.2.0-next.0" from ng-packagr@16.2.3
npm WARN node_modules/ng-packagr
npm WARN dev ng-packagr@"^16.0.0" from the root project
npm WARN 1 more (the root project)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @angular/compiler-cli@"^17.0.0" from @angular-devkit/build-angular@17.3.3
npm WARN node_modules/@angular-devkit/build-angular
npm WARN dev @angular-devkit/build-angular@"17.3.3" from the root project
npm WARN
npm WARN Conflicting peer dependency: @angular/compiler-cli@17.3.3
npm WARN node_modules/@angular/compiler-cli
npm WARN peer @angular/compiler-cli@"^17.0.0" from @angular-devkit/build-angular@17.3.3
npm WARN node_modules/@angular-devkit/build-angular
npm WARN dev @angular-devkit/build-angular@"17.3.3" from the root project
npm WARN ERESOLVE overriding peer dependency
npm WARN ERESOLVE overriding peer dependency
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @angular-devkit/build-angular@17.3.3
npm WARN Found: ng-packagr@16.2.3
npm WARN node_modules/ng-packagr
npm WARN dev ng-packagr@"^16.0.0" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peerOptional ng-packagr@"^17.0.0" from @angular-devkit/build-angular@17.3.3
npm WARN node_modules/@angular-devkit/build-angular
npm WARN dev @angular-devkit/build-angular@"17.3.3" from the root project
npm WARN
npm WARN Conflicting peer dependency: ng-packagr@17.3.0
npm WARN node_modules/ng-packagr
npm WARN peerOptional ng-packagr@"^17.0.0" from @angular-devkit/build-angular@17.3.3
npm WARN node_modules/@angular-devkit/build-angular
npm WARN dev @angular-devkit/build-angular@"17.3.3" from the root project
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @angular-devkit/build-angular@17.3.3
npm WARN Found: typescript@5.0.4
npm WARN node_modules/typescript
npm WARN peer typescript@">=5.2 <5.5" from @ngtools/webpack@17.3.3
npm WARN node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack
npm WARN @ngtools/webpack@"17.3.3" from @angular-devkit/build-angular@17.3.3
npm WARN node_modules/@angular-devkit/build-angular
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer typescript@">=5.2 <5.5" from @angular-devkit/build-angular@17.3.3
npm WARN node_modules/@angular-devkit/build-angular
npm WARN dev @angular-devkit/build-angular@"17.3.3" from the root project
npm WARN
npm WARN Conflicting peer dependency: typescript@5.4.4
npm WARN node_modules/typescript
npm WARN peer typescript@">=5.2 <5.5" from @angular-devkit/build-angular@17.3.3
npm WARN node_modules/@angular-devkit/build-angular
npm WARN dev @angular-devkit/build-angular@"17.3.3" from the root project

added 31 packages, removed 76 packages, changed 54 packages, and audited 1539 packages in 14s

134 packages are looking for funding
run npm fund for details

npm audit report

request *
Severity: moderate
Server-Side Request Forgery in Request - Server-Side Request Forgery in Request · CVE-2023-28155 · GitHub Advisory Database · GitHub
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request

tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - tough-cookie Prototype Pollution vulnerability · CVE-2023-26136 · GitHub Advisory Database · GitHub
No fix available
node_modules/tough-cookie

undici 6.0.0 - 6.11.0
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect · CVE-2024-30261 · GitHub Advisory Database · GitHub
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline · CVE-2024-30260 · GitHub Advisory Database · GitHub
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@16.2.13, which is a breaking change
node_modules/undici
@angular-devkit/build-angular 17.1.0-next.0 - 18.0.0-next.1
Depends on vulnerable versions of undici
Depends on vulnerable versions of vite
node_modules/@angular-devkit/build-angular

vite 5.1.0 - 5.1.6
Severity: moderate
Vite's server.fs.deny did not deny requests for patterns with directories. - Vite's `server.fs.deny` did not deny requests for patterns with directories. · CVE-2024-31207 · GitHub Advisory Database · GitHub
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@16.2.13, which is a breaking change
node_modules/vite

5 vulnerabilities (1 low, 4 moderate)

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
eric@ziti:/opt/ziti/ziti-console$

eric@ziti:/opt/ziti/ziti-console$ ng build ziti-console-lib
? Would you like to share pseudonymous usage data about this project with the Angular Team
at Google under Google's Privacy Policy at https://policies.google.com/privacy. For more
details and how to change this setting, see Angular. No
Global setting: not set
Local setting: disabled
Effective status: disabled
Building Angular Package

Building entry point '@openziti/ziti-console-lib'

Compiling with Angular sources in Ivy partial compilation mode.
Generating FESM bundles
Copying assets
Writing package manifest
Built @openziti/ziti-console-lib

Built Angular Package

• from: /opt/ziti/ziti-console/projects/ziti-console-lib
• to: /opt/ziti/ziti-console/dist/ziti-console-lib

Build at: 2024-04-05T04:13:07.849Z - Time: 31052ms

eric@ziti:/opt/ziti/ziti-console$

eric@ziti:/opt/ziti/ziti-console$ ng build ziti-console-node
This version of CLI is only compatible with Angular versions ^17.0.0,
but Angular version 16.2.12 was found instead.
Please visit the link below to find instructions on how to update Angular.
https://update.angular.io/
eric@ziti:/opt/ziti/ziti-console$

The first time, I tried without the command npm audit fix --force but it failed too.

This version of CLI is only compatible with Angular versions ^17.0.0,
but Angular version 16.2.12 was found instead.

It looks like your version of the angular CLI may not be compatible.

@Eric If you run the commands below it should install the correct version:

npm uninstall -g @angular/cli
npm cache clean
npm install -g @angular/cli@16

Then try running the build steps again

Here is the result:

eric@ziti:/opt/ziti/ziti-console$ ng build ziti-console-lib
Node packages may not be installed. Try installing with 'npm install'.
Error: Could not find the '@angular-devkit/build-angular:ng-packagr' builder's node package.
eric@ziti:/opt/ziti/ziti-console$

I went back to previous version, can you tell me which steps I should follow to upgrade?

So looking at your previous stack trace it looks like it installed dependencies for the angular 17 cli. You'll need to be sure you're running angular 16 cli first by running the commands from above:

npm uninstall -g @angular/cli
npm cache clean
npm install -g @angular/cli@16

Once you've confirmed you're running angular 16, you'll need to delete your /node_modules folder which is at the root of the ziti-console project.

Then you should be able to start from the begging with the installation steps:

npm install

ng build ziti-console-lib
ng build ziti-console
ng build ziti-console-node

node server.js

Well, it's working now. I have moved to 3.0.8 version and the issue I was facing is solved, thanks!

I do not understand everything but it works! One thing is surprising me: in your last post, you put the command "ng build ziti-console". I don't see it in the Ziti Admin Console doc page on your Web site.