How to update the certificates for OpenZiti(used by Zrok)?

zrok
1

Hello, everyone!
I have deployed Zrok and OpenZiti myself, but the certificates for OpenZiti have expired.
The default certificate expiration period for OpenZiti quickstart is 1 year. One day, my Zrok service suddenly stopped working properly, and I found that the OpenZiti certificate had expired. How should I update it?

Here’s the solution I’m currently attempting:

  1. Stop the Ziti service;
  2. Run source ziti-xxxx.env in the $ZITI_HOME directory;
  3. Run rm -rf $ZITI_HOME/pki && rm $ZITI_HOME/*-edge-router-*;
  4. Run source ziti-cli-functions.sh;
  5. Execute the following in Bash:
    createPki
    createControllerConfig
    addRouter
  6. Restart ziti-controller and ziti-router.

At this point, both ziti-controller and ziti-router start normally, but the Zrok frontend still throws an error:
sdk-golang/edge-apis.errorIndicatesControllerSwap: {error=[Post "https://192.168.1.10:8441/edge/client/v1/authenticate?method=cert": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "dev-edge-controller-root-ca Root CA")]} checking for network error on type (*url.Error) and its wrapped errors

2

hi @kc4271, welcome to the community and to OpenZiti. There are other forum posts about how to roll your certs but I've had to do it myself recently and made myself a one-liner that illustrates the proper way of going about it. At the same time, it'll set you up for the future releases by adding a spiffe-id to your server certs.

You don't want to use createPki, it won't work. you basically need to do two things:

  • roll the cert for the topmost identity block for the controller, the 'control' plane
  • roll the cert for the identity block lower in the config file, for the 'edge'

You do that using something like this:

Control Plane (first identity block)

ziti pki create server --dns your.dns.here --ip 129.80.202.129 --key-file free-vps-server --server-file ctrl.server.2025 --pki-root $ZITI_PKI --ca-name $ZITI_PKI_CTRL_INTERMEDIATE_NAME  --spiffe-id spiffe://dovnet.personal/controller/ctrl1

Edge Plane (second identity block, around 70% down in the file)

ziti pki create server --dns your.dns.here --ip 129.80.202.129 --key-file 129.80.202.129-server --server-file ctrl.edge.server.2025 --pki-root $ZITI_PKI --ca-name $ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME --spiffe-id spiffe://dovnet.personal/controller/ctrl1

The result of these two commands will be chains. For example, from my example above (I am in my $ZITI_HOME folder when I ran this):

find . -name "*2025*chain*"
./pki/free-vps-intermediate/certs/ctrl.server.2025.chain.pem
./pki/free-vps-edge-controller-intermediate/certs/ctrl.edge.server.2025.chain.pem

After making the two certs, update your identity blocks. For example, I commented out my 'old' certs and added the new paths below (my controller config file is called free-vps.yaml):

grep server_cert free-vps.yaml -A3 -B3

identity:
  cert:        "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-intermediate/certs/free-vps-client.cert"
  server_cert: "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-intermediate/certs/ctrl.server.2025.chain.pem"
  #server_cert: "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-intermediate/certs/free-vps-server.chain.pem"
  key:         "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-intermediate/keys/free-vps-server.key"
  ca:          "/home/opc/.ziti/quickstart/free-vps/pki/cas.pem"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

# Network Configuration
--
    identity:
      ca:          "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-edge-controller-root-ca/certs/free-vps-edge-controller-root-ca.cert"
      key:         "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-edge-controller-intermediate/keys/129.80.202.129-server.key"
      server_cert: "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-edge-controller-intermediate/certs/ctrl.edge.server.2025.chain.pem"
      #server_cert: "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-edge-controller-intermediate/certs/129.80.202.129-server.chain.pem"
      cert:        "/home/opc/.ziti/quickstart/free-vps/pki/free-vps-edge-controller-intermediate/certs/129.80.202.129-client.cert"
      #alt_server_certs:
      #- server_cert: ""
      #  server_key:  ""

    # options - optional

I think that'll help, but let us know if it doesn't. Also, make sure you update to using the 'chains'. That's important now-a-days too. :slight_smile:

1 Like
3

Adding on to @TheLumberjack comprehensive solution, you're using the OpenZiti quickstart for Linux: Host OpenZiti Anywhere | OpenZiti.

After you started using Ziti, we came out with some more long-term-oriented deployment guides, and there's a migration guide you can use to convert from the quickstart-based setup, assuming you'd like to preserve your identities and everything else that lives in the Ziti controller's database: Migrate a Controller Installation | OpenZiti

I'd be happy to answer any questions you have about switching to the Linux package or migrating to Docker or Kubernetes.

1 Like
4

Thank you for your reply. By carefully comparing your instructions, the specific implementation in ziti-cli-functions.sh, and the content of the official website "Renewing Leaf Certificates", I have rewritten the script for upgrading certificates. After executing the script and restarting the ziti service, zrok is performing normally. Thank you very much!
The script is as follows (only applicable to my own deployment):

After source "$ZITI_HOME/$ZITI_CTRL_NAME.env"

export DNS_ALLOW_LIST="localhost,${ZITI_NETWORK}"
export IP_ALLOW_LIST="127.0.0.1,${ZITI_CTRL_EDGE_IP_OVERRIDE}"
export FILE_NAME_ROOT="${ZITI_CTRL_ADVERTISED_ADDRESS}"
export EDGE_FILE_NAME_ROOT="${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}"

ziti pki create server --pki-root="${ZITI_PKI}" --ca-name "${ZITI_PKI_CTRL_INTERMEDIATE_NAME}"
--server-file "${FILE_NAME_ROOT}-server"
--dns "${DNS_ALLOW_LIST}" --ip "${IP_ALLOW_LIST}"
--server-name "${FILE_NAME_ROOT} server certificate" --expire-limit 3650 --allow-overwrite

ziti pki create client --pki-root="${ZITI_PKI}" --ca-name "${ZITI_PKI_CTRL_INTERMEDIATE_NAME}"
--client-file "${FILE_NAME_ROOT}-client"
--key-file "${FILE_NAME_ROOT}-server"
--client-name "${FILE_NAME_ROOT}" --expire-limit 3650 --allow-overwrite

ziti pki create server --pki-root="${ZITI_PKI}" --ca-name "${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}"
--server-file "${EDGE_FILE_NAME_ROOT}-server"
--dns "${DNS_ALLOW_LIST}" --ip "${IP_ALLOW_LIST}"
--server-name "${EDGE_FILE_NAME_ROOT} server certificate" --expire-limit 3650 --allow-overwrite

ziti pki create client --pki-root="${ZITI_PKI}" --ca-name "${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}"
--client-file "${EDGE_FILE_NAME_ROOT}-client"
--key-file "${FILE_NAME_ROOT}-server"
--client-name "${EDGE_FILE_NAME_ROOT}" --expire-limit 3650 --allow-overwrite

5

Thank you for your support!

1 Like