How to change sni?

Rantanplan · April 9, 2026, 7:50pm

I am looking for guidance on the proper way to make Ziti use a new SNI hostname.

After updating the advertise hostname in the router configuration, the router fails to start. I modified the configuration as follows:

   listeners:
     - binding:          transport
       bind:             tls:0.0.0.0:port
-      advertise:        tls:hostname.domain.org:port
+      advertise:        tls:hostname_new.domain.org:port
       options:
         outQueueSize:   4
       groups:
@@ -50,7 +50,7 @@ listeners:
   - binding: edge
     address: tls:0.0.0.0:port
     options:
-      advertise: hostname.domain.org:port
+      advertise: hostname_new.domain.org:port
       connectTimeoutMs: 5000
       getSessionTimeout: 60

Apr 09 19:28:03 hostname ziti[2483479]: {
"file":"github.com/openziti/ziti/router/env/config.go:925","func":"github.com/openziti/ziti/router/env.LoadConfigWithOptions",
"level":"fatal",
"msg":"one or more advertise addresses are invalid:
[invalid link.listeners.advertise: tls:hostname51.domain.org:port,
error: identity is not valid for provided host: [hostname_new.domain.org]. is valid for: [127.0.0.1, ::1, localhost, hostname, hostname.domain.org] invalid listeners.binding.advertise: hostname_new.domain.org:port,
error: identity is not valid for provided host: [hostname_new.domain.org]. is valid for: [127.0.0.1, ::1, localhost, hostname, hostname.domain.org]]",
"time":"2026-04-09T19:28:03.548Z"
}

TheLumberjack · April 9, 2026, 8:21pm

I think you are looking for newAddress and newListener. See the Release 0.24.5 changelog entry and see if that's what you are looking for?

Rantanplan · April 9, 2026, 8:33pm

Thank you for the notes regarding updating the controller. In my case, however, the controller IP/DNS remains unchanged.

I only need to update the router’s SNI name, i.e. the DNS name used by Ziti fabric/clients when sending the TLS ClientHello. This is the router’s advertised DNS name.

TheLumberjack · April 9, 2026, 8:38pm

Oh, I misunderstood. For a router, you would create a new server certificate valid for your new domain and update the advertised address accordingly.

I see now from your error that you have missed that first part. The certificate needs to be valid for new.domain.org and it's not.

Rantanplan · April 9, 2026, 8:40pm

Thank you. I must have missed this point entirely. Could you please point me to where I can read how to do this, any relevant documentation?

Since there are service policies in place, I would prefer to avoid recreating the router.

Do you mean I need to re-enroll the router?

ziti edge re-enroll edge-router <idOrName> -o <jwt_path>
ziti router enroll -j <jwt_path>

Does it preserve the ziti identity of the router?

TheLumberjack · April 15, 2026, 1:37pm

I would expect re-enrolling it would work, yes. I would then stop the router, remove the router's PKI, update the routers config with the new SNI, then re-enroll the router. I think that'd work

Rantanplan · April 18, 2026, 3:25pm

Many routers have a Ziti identity, as they operate as tunnels. I hope that running ziti edge re-enroll will be sufficient—would that be correct?

TheLumberjack · April 19, 2026, 8:19pm

yes. i expect it to work as you want

Topic		Replies	Views
How to change SNI of edge routers? zrok	14	156	May 5, 2025
Edge router behavior with ziti-edge-tunnel General Questions	1	35	February 14, 2026
Change Controller Adresse/Port or migrate to a new controller General Questions	20	290	December 2, 2024
Ziti Router shutting down Support	13	127	April 23, 2025
Adding new router to ziti network fails Ziti Overlay	13	489	April 2, 2023

How to change sni?

Related topics