I'm new to OpenZiti, and I'm trying to get it running on my application. My setup includes two computers: an Ubuntu machine (where I plan to run the overlay network and the HTTP server) and a Windows machine using WSL, which will act as the client.
I followed the "Local - No Docker" guide to set up the overlay network on the Ubuntu machine, and that part went smoothly. Then, I moved on to the "Your First Service" guide. I successfully completed up to step 8, where I started the server-side tunneler with the HTTP server identity to provide access to the HTTP server.
However, when I reached step 9, I copied the http.client.jwt file to the Windows machine with the intention of enrolling the HTTP client from there. Unfortunately, I'm encountering an issue where the enrollment fails with the error "Controller_Unavailable." as below:
~/ziti$ ziti-edge-tunnel enroll --jwt http.client.jwt --identity http.client.json
(65604)[ 0.000] INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=3/INFO
(65604)[ 0.000] INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 1.0.7 @g9fa5162(HEAD) starting at (2024-08-14T15:55:45.946)
(65604)[ 0.000] INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 1.0.7 @g9fa5162(HEAD) starting enrollment at (2024-08-14T15:55:45.947)
(65604)[ 0.000] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[aaltosea-Latitude-7390] request failed: -3001(temporary failure)
(65604)[ 0.000] ERROR ziti-sdk:ziti_enroll.c:222 well_known_certs_cb() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:139 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
(65604)[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2228 enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
I'd really appreciate any help or guidance on how to resolve this issue. Thanks in advance!
Hi @nvc97, welcome to the community and to OpenZiti!
What likely has happened is that your ubuntu machine's hostname is not resolvable on your home network... At the end of the day, all the OpenZiti components need to be able to connect to the controller and there's a config file entry in the controller specifying the address to connect to. It's going to be set to the ubuntu machine's 'hostname' right now, and Windows can't resolve it.
When you start an OpenZiti overlay, you really do want to know the 'advertised' address of the controller. The address that other clients and routers will use to connect to the controller. It's not spelled out with big bold letters on that page (it will be when we redo the docs later this year) but the quickstart will use your machine's hostname by default for this value with the expectation that your hostnames are all resolvable on a home network. That's not always the case though.
I think your ubuntu server hostname -- which seems to be aaltosea-Latitude-7390 is not addressable from the windows machine. This leads the enrollment to fail.
Now "fixing" this -- there are many ways to fix it...
take the easy (and arguably 'wrong') way out and add a hosts file entry for your controller to your windows machine. I do this all the time personally, but it's exceptionally easy to forget you added a hosts file entry
redo the quickstart and follow Host OpenZiti Anywhere (which covers 'all local' fwiw) and make sure you set the ZITI_CTRL_EDGE_ADVERTISED_ADDRESS and ZITI_ROUTER_ADVERTISED_ADDRESS fields to something that is routable/addressable on your home network.
find your home network's DNS server and add an entry for your controller there. works great, but if your hostname changes you'll possibly forget you ever did this
setup your home network so that a hostname ends up being resolved to an ip address
there are probably even MORE ways to do this I didn't list
If you're just looking for "fast and easy" -- add a hosts file entry on the windows box pointing the hostname to the IP of the ubuntu machine... All the other methods are "better" arguably longer term but are possibly more complex.
This is also true for the router too! So make sure your router is "advertising" the proper host/fqdn to connect to...
