Incorrect fingerprint/unenrolled router

Rantanplan · May 8, 2025, 7:36am

The data center lost my vps with a router. After restoring from their backup the controller does not accept the router. Why I have an incorrect fingerprint error?

May 08 06:59:48  ziti[122245]: {"file":"github.com/openziti/ziti/controller/handler_ctrl/connect.go:108","fp":"b092f8030c534041ad30aa2edac47b742fc66047","func":"github.com/openziti/ziti/controller/handler_ctrl.(*ConnectHandler).HandleConnection","givenFps":["d8d5bce7c7f2a734618cda7c843a3468f84ebe9f"],"level":"error","msg":"router fingerprint mismatch","routerId":"WIZxdWbqhW","time":"2025-05-08T06:59:48.307Z"}
May 08 06:59:48  ziti[122245]: {"_context":"tls:0.0.0.0:####","file":"github.com/openziti/channel/v3@v3.0.39/classic_listener.go:219","func":"github.com/openziti/channel/v3.(*classicListener).acceptConnection.func1","level":"error","msg":"connection handler error for [tls:router.address:####] (incorrect fingerprint/unenrolled router, routerId: WIZxdWbqhW, given fingerprints: [d8d5bce7c7f2a734618cda7c843a3468f84ebe9f])","time":"2025-05-08T06:59:48.307Z"}

qrkourier · May 8, 2025, 4:06pm

The router probably renewed its certificate after the backup snapshot was created, so the old certificate was restored and is no longer recognized. You can re-enroll the router to obtain a new certificate.

Your options include:

restore a backup containing the latest certificate
re-enroll the router
replace the router

Assuming you don't have a backup containing the latest certificate, re-enrollment is the least intrusive option. It's an administrative action to obtain a new enrollment token for the existing router, so your policy grants will not be affected by re-enrollment, whereas replacing the router would affect authorizations if they specifically @mention the replaced router.

I seem to recall you were using the Linux router package. In that case, here's an overview of the steps to re-enroll.

Obtain the new token with the ziti CLI or web console (ZAC)
re-enroll the router

Linux router service re-enrollment example with new enrollment token saved in /tmp/router1.jwt.

sudo /opt/openziti/etc/router/bootstrap.bash <<EOF
ZITI_BOOTSTRAP_ENROLLMENT=force
ZITI_ENROLL_TOKEN=/tmp/router1.jwt
EOF

Topic		Replies	Views
Troubleshoot error - "invalid client certificate for api session" General Questions	40	523	November 12, 2022
-103/software caused connection abort Ziti Overlay	4	36	November 8, 2024
Handshake failed error	1	33	March 10, 2025
Problem connecting router to controller in Kubernetes - "server gave HTTP response to HTTPS client" Ziti Overlay	2	10	May 14, 2025
Problem with edge router after certificates update Support	4	243	June 18, 2023

Incorrect fingerprint/unenrolled router

Related topics