How to parse JWT files on machines other than the host?

roycyz · February 19, 2025, 7:38am

The JWT files generated via the ziti edge create command can be converted on the host machine using:

ziti-edge-tunnel enroll --jwt http.client.jwt --identity http.client.json
ziti-edge-tunnel enroll --jwt http.server.jwt --identity http.server.json

However, when transferring these JWT files to other machines, errors occur:
On Linux:

(22632)[        0.000]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=3/INFO
(22632)[        0.000]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version  @(HEAD) starting at (2025-02-18T06:58:03.055)
(22632)[        0.000]    INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version  @(HEAD) starting enrollment at (2025-02-18T06:58:03.055)
(22632)[        0.000]   ERROR ziti-sdk:ziti_enroll.c:234 enroll_cb() failed to enroll with controller: https://localhost.localdomain:1280 INVALID_ENROLLMENT_TOKEN (The supplied token is not valid)
(22632)[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2221 enroll_cb() enrollment failed: INVALID_ENROLLMENT_TOKEN(-3)

On Windows:

[2025-02-18T06:34:04.936Z]    INFO ziti-sdk:ziti_enroll.c:112 ziti_enroll() Ziti C SDK version 1.3.7 @g94225a3(HEAD) starting enrollment at (2025-02-18T06:34:04.936)
[2025-02-18T06:34:04.937Z]    INFO ziti-sdk:ziti_ctrl.c:632 ziti_ctrl_init() ctrl[(null):] using https://localhost.localdomain:1280
[2025-02-18T06:34:04.937Z]    INFO ziti-edge-tunnel:process_cmd.c:125 enroll_ziti_async() enrollment started. identity file will be written to: c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\http.client.json
[2025-02-18T06:34:04.979Z]    INFO ziti-sdk:ziti_ctrl.c:632 ziti_ctrl_init() ctrl[(null):] using https://localhost.localdomain:1280
[2025-02-18T06:34:05.015Z]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[localhost.localdomain:1280] API request[/enroll] failed code[INVALID_ENROLLMENT_TOKEN] message[The supplied token is not valid]
[2025-02-18T06:34:05.015Z]   ERROR ziti-sdk:ziti_enroll.c:402 enroll_cb() failed to enroll with controller: https://localhost.localdomain:1280 INVALID_ENROLLMENT_TOKEN[The supplied token is not valid] reason[]
[2025-02-18T06:34:05.015Z]   ERROR ziti-edge-tunnel:process_cmd.c:60 tunnel_enroll_cb() enrollment failed: JWT not accepted by controller(-3)
[2025-02-18T06:34:05.015Z]   ERROR ziti-edge-tunnel:process_cmd.c:68 tunnel_enroll_cb() removing failed identity file: c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\http.client.json

The corresponding domains have been defined in the hosts file, allowing access to port 1280 through both the browser and curl. Although the Linux side cannot parse the corresponding JWT file, it can directly run the JSON file generated by the host machine and still achieve gateway functionality. However, on the Windows side, there are only options to parse JWT or URL. Attempting to establish a URL results in the following error:

URL enrollment attempt on Windows:

[2025-02-18T06:41:43.969Z]    INFO ziti-sdk:ziti_enroll.c:112 ziti_enroll() Ziti C SDK version 1.3.7 @g94225a3(HEAD) starting enrollment at (2025-02-18T06:41:43.969)
[2025-02-18T06:41:44.001Z]    INFO ziti-sdk:ziti_ctrl.c:632 ziti_ctrl_init() ctrl[(null):] using https://192.168.11.184:1280
[2025-02-18T06:41:44.001Z]    INFO ziti-edge-tunnel:process_cmd.c:125 enroll_ziti_async() enrollment started. identity file will be written to: c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\192.168.11.184_1280.json
[2025-02-18T06:41:44.030Z]   ERROR tlsuv:engine.c:923 openssl: handshake was terminated: error:00000005:lib(0)::reason(5)
[2025-02-18T06:41:44.030Z]   ERROR tlsuv:tls_link.c:113 TLS(000001e95fe12510) handshake error error:00000005:lib(0)::reason(5)
[2025-02-18T06:41:44.030Z]   ERROR tlsuv:http.c:189 handshake failed status[3]: error:00000005:lib(0)::reason(5)
[2025-02-18T06:41:44.030Z]    WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[192.168.11.184:1280] request failed: -4079(software caused connection abort)
[2025-02-18T06:41:44.030Z]    WARN ziti-sdk:ziti_ctrl.c:342 internal_version_cb() ctrl[192.168.11.184:1280] CONTROLLER_UNAVAILABLE(software caused connection abort)
[2025-02-18T06:41:44.030Z]    WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[192.168.11.184:1280] request failed: -4079(software caused connection abort)
[2025-02-18T06:41:44.030Z]    INFO ziti-sdk:ziti_ctrl.c:187 ctrl_resp_cb() ctrl[192.168.11.184:1280] attempting to switch endpoint
[2025-02-18T06:41:44.030Z]    WARN ziti-sdk:ziti_ctrl.c:605 ctrl_next_ep() ctrl[192.168.11.184:1280] no controllers are online
[2025-02-18T06:41:44.030Z]   ERROR ziti-edge-tunnel:process_cmd.c:60 tunnel_enroll_cb() enrollment failed: unsupported enrollment method(-8)
[2025-02-18T06:41:44.030Z]   ERROR ziti-edge-tunnel:process_cmd.c:68 tunnel_enroll_cb() removing failed identity file: c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\192.168.11.184_1280.json

Questions:

Why do JWT files work on the host machine but fail on others with INVALID_ENROLLMENT_TOKEN?
On Windows, why does URL enrollment fail with TLS handshake errors (error:00000005)?
How can I resolve these issues to enroll identities on remote machines?

TheLumberjack · February 19, 2025, 11:48am

Hi @roycyz. It's hard to me to understand the exact steps you've taken. You are expected to transfer jwts to other machines for enrollment.

My guess (and it's only a guess) is that somehow this: "The corresponding domains have been defined in the hosts file" is the cause of your problem. Are you sure the IP address entered into the hosts file is accurate?

My second guess would be the advertised address of the controller is incorrect, leading to a jwt that is incorrect.

Would you parse one of the jwt's on linux in bash using a simple command? This will cat the file, split it using periods ., base64 decode it and then format it using jq:

cat the.jwt | cut -d "." f2 | base64 -d | jq .

I'd like to see what is inside your jwt. There will be an issuser in there that also might be incorrect. For example, here's one of mine. see the iss field? that controller needs to be online and have a correct PKI:

cat test.jwt | cut -d "." -f2 | base64 -d | jq .
{
  "iss": "https://ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8600",
  "sub": "nc-hDCJRP",
  "aud": [
    ""
  ],
  "exp": 1739896200,
  "jti": "89db06d6-4ecd-4cef-ac07-0465aaaf981d",
  "em": "ott",
  "ctrls": null
}

maybe that will give you what you need

Topic		Replies	Views
API version of: ziti edge enroll --jwt identity.jwt --out identity.json	9	100	May 21, 2025
Windows Ziti-Tunnel Command Line	14	421	February 16, 2023
Ziti-Router Deployment Error Support	13	110	February 20, 2025
Ziti-edge-tunnel fails on ubuntu with "configuration is invalid" Tunneler Apps	1	16	February 16, 2025
Issue with enrolling client using ziti-edge-tunnel Support	1	86	August 15, 2024

How to parse JWT files on machines other than the host?

Related topics