Incorrect fingerprint/unenrolled router

Ziti Overlay
1

The data center lost my vps with a router. After restoring from their backup the controller does not accept the router. Why I have an incorrect fingerprint error?

May 08 06:59:48  ziti[122245]: {"file":"github.com/openziti/ziti/controller/handler_ctrl/connect.go:108","fp":"b092f8030c534041ad30aa2edac47b742fc66047","func":"github.com/openziti/ziti/controller/handler_ctrl.(*ConnectHandler).HandleConnection","givenFps":["d8d5bce7c7f2a734618cda7c843a3468f84ebe9f"],"level":"error","msg":"router fingerprint mismatch","routerId":"WIZxdWbqhW","time":"2025-05-08T06:59:48.307Z"}
May 08 06:59:48  ziti[122245]: {"_context":"tls:0.0.0.0:####","file":"github.com/openziti/channel/v3@v3.0.39/classic_listener.go:219","func":"github.com/openziti/channel/v3.(*classicListener).acceptConnection.func1","level":"error","msg":"connection handler error for [tls:router.address:####] (incorrect fingerprint/unenrolled router, routerId: WIZxdWbqhW, given fingerprints: [d8d5bce7c7f2a734618cda7c843a3468f84ebe9f])","time":"2025-05-08T06:59:48.307Z"}
2

The router probably renewed its certificate after the backup snapshot was created, so the old certificate was restored and is no longer recognized. You can re-enroll the router to obtain a new certificate.

Your options include:

  • restore a backup containing the latest certificate
  • re-enroll the router
  • replace the router

Assuming you don't have a backup containing the latest certificate, re-enrollment is the least intrusive option. It's an administrative action to obtain a new enrollment token for the existing router, so your policy grants will not be affected by re-enrollment, whereas replacing the router would affect authorizations if they specifically @mention the replaced router.

I seem to recall you were using the Linux router package. In that case, here's an overview of the steps to re-enroll.

  1. Obtain the new token with the ziti CLI or web console (ZAC)
  2. re-enroll the router

Linux router service re-enrollment example with new enrollment token saved in /tmp/router1.jwt.

sudo /opt/openziti/etc/router/bootstrap.bash <<EOF
ZITI_BOOTSTRAP_ENROLLMENT=force
ZITI_ENROLL_TOKEN=/tmp/router1.jwt
EOF