Identities not enrolling correctly and coming online

Hi,

Ive pulled down the docker compose quickstart again as I've done previously onto an ubuntu VM and set it up there. I put in a DNS entry on the Windows Host for the IP Address of the ubuntu VM and can log into the ZAC fine. However when I create a new identity in the ZAC and download it to run on the windows host using ZDEW, the identity does not load into it unless I stop and start the ZDEW - it then shows as online there, but in the ZAC itself it still shows as offline - this is happening with any identity I create - im using the latest ZAC also.

The output on the console keeps scrolling like this:

> ziti-controller-1                 | [ 521.916]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[remote error: tls: internal error] remote=[192.168.204.1:52703]} handshake failed
> ziti-controller-1                 | [ 522.467]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[192.168.204.1:52704] error=[remote error: tls: internal error]} handshake failed
> ziti-controller-1                 | [ 526.950]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[192.168.204.1:52705] error=[remote error: tls: internal error]} handshake failed
> ziti-controller-1                 | [ 527.504]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[192.168.204.1:52706] error=[remote error: tls: internal error]} handshake failed
> ziti-controller-1                 | [ 531.997]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[192.168.204.1:52707] error=[remote error: tls: internal error]} handshake failed
> ziti-controller-1                 | [ 532.538]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[192.168.204.1:52708] error=[remote error: tls: internal error]} handshake failed
> ziti-controller-1                 | [ 537.022]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[remote error: tls: internal error] remote=[192.168.204.1:52709]} handshake failed
> ziti-controller-1                 | [ 537.579]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[192.168.204.1:52710] error=[remote error: tls: internal error]} handshake failed
> ziti-controller-1                 | [ 542.056]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[remote error: tls: internal error] remote=[192.168.204.1:52711]} handshake failed
> ziti-controller-1                 | [ 542.599]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[192.168.204.1:52712] error=[remote error: tls: internal error]} handshake failed

Blockquote

Ive deleted all identities and tried again and its the same. I also set everything up from scratch and still having the same issue -

Im wondering is there a problem with the latest version of the docker compose quickstart and ZDEW ?

I'll give it a try locally and see if it happens for me. Just to confirm, are you using docker desktop for windows or are you running a different version of docker?

I'm wondering if the old environment is running or if the old state is somehow being stored.

I’m running docker on the Ubuntu Vm and installed the network on that - I’m using the zdew on the windows host machine - this has been the setup I always use

I’ve set up a new vm to test it and it’s the same on that - so no old configs etc

I have verified on my side that the steps from the docs work for me - i ran everything locally using WSL.

This involved:

• curl -so docker-compose.yaml https://get.openziti.io/dock/docker-compose.yml
• curl -so .env https://get.openziti.io/dock/.env
• docker compose --project-name docker up

and then ensured my hosts file contained ziti-edge-controller and ziti-edge-router. I was able to use the ZAC, make an identity, enroll it and see a service show up.

Perhaps you can provide a full set of steps and I can see what you may be doing wrong? Is there any possibility of DPI (deep packet inspection) or some other proxy terminating TLS between your windows host and the VM? If that's the case, that would also explain the problem.

You can check this using openssl. I'll have to replicate the steps using powershell and openssl on windows though unless you have WSL and bash?

I have wsl so if you can send steps I can check

I’m using VMware workstation for the Ubuntu vm though as I always do ….i will redo steps and come back to you… thanks for checking

run:

ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=localhost
ZITI_CTRL_EDGE_ADVERTISED_PORT=1280
curl -sk https://${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT}/.well-known/est/cacerts \
  | openssl base64 -d \
  | openssl pkcs7 -inform DER -outform PEM -print_certs -out /tmp/well.known.cacerts.pem

openssl s_client \
  -connect ${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT} \
  -CAfile /tmp/well.known.cacerts.pem < /dev/null 2>&1 \
  | grep "Verify return code"

You should see a code of 0

Verify return code: 0 (ok)

Obviously, replace ZITI_CTRL_EDGE_ADVERTISED_ADDRESS and ZITI_CTRL_EDGE_ADVERTISED_PORT accordingly