Hi all,
I’m seeing issues when running zrok share public on a self-hosted Ziti + Zrok setup.
Setup:
-
Zrok router: Let’s Encrypt SSL
-
Zrok controller: self-signed certs (added to client CA store)
-
Ziti CLI: 1.0.7, Zrok CLI: 1.1.13
-
zrok enable xyzworks, registration appears in Zrok UI, policy shows in Ziti UI
Observed errors:
Ziti CLI 1.0.7:
[0.489] DEBUG sdk-golang/ziti.(*ContextImpl).connectEdgeRouter: {router=[router6]} connection to edge router using api session token df25ed25-ef07-4a7c-b814-bb2cf5d1cc8b
[0.489] DEBUG channel/v4.(*classicDialer).CreateWithHeaders [tls:ziti-router.mydomain.com:443]: started
[0.489] DEBUG channel/v4.(*classicDialer).CreateWithHeaders [tls:ziti-router.mydomain.com:443]: Attempting to dial with bind:
[0.500] DEBUG channel/v4.(*classicDialer).CreateWithHeaders [tls:ziti-router.mydomain.com:443]: exited
[0.500] ERROR sdk-golang/ziti.(*ContextImpl).connectEdgeRouter: {router=[router6]} tls: failed to verify certificate: x509: certificate signed by unknown authority
[0.500] DEBUG sdk-golang/ziti.(*listenerManager).handleRouterConnectResult: {routerUrl=[tls:ziti-router.mydomain.com:443] router=[router6] serviceName=[8hhefkgqzsci] listenerCount=[0]} handling router connect result, success? false
→ seems like router SSL not trusted
Zrok CLI 1.1.13:
[0.643] DEBUG sdk-golang/edge-apis.errorIndicatesControllerSwap: {error=[[GET /controllers][401] listControllersUnauthorized &{Error:0xc000eea9c0 Meta:0xc000ec6880}]} checking for network errror on type (*controllers.ListControllersUnauthorized) and its wrapped errors
[0.643] DEBUG sdk-golang/edge-apis.(*ClientTransportPoolRandom).TryTransportForF: {error=[[GET /controllers][401] listControllersUnauthorized &{Error:0xc000eea9c0 Meta:0xc000ec6880}]} determined that error (*controllers.ListControllersUnauthorized) does not indicate controller swap, returning error
[0.643] ERROR sdk-golang/edge-apis.(*BaseClient[...]).ProcessControllers: {error=[[GET /controllers][401] listControllersUnauthorized &{Error:0xc000eea9c0 Meta:0xc000ec6880}]} error listing controllers, continuing with 1 default configured controller
[0.643] DEBUG sdk-golang/ziti.(*ContextImpl).refreshServices: refreshing services
[0.648] DEBUG sdk-golang/edge-apis.errorIndicatesControllerSwap: {error=[[GET /services][401] listServicesUnauthorized &{Error:0xc000eeacc0 Meta:0xc000ec6980}]} checking for network errror on type (*service.ListServicesUnauthorized) and its wrapped errors
[0.648] DEBUG sdk-golang/edge-apis.(*ClientTransportPoolRandom).TryTransportForF: {error=[[GET /services][401] listServicesUnauthorized &{Error:0xc000eeacc0 Meta:0xc000ec6980}]} determined that error (*service.ListServicesUnauthorized) does not indicate controller swap, returning error [ERROR]: unable to create proxy backend (error listening: failed to listen: no apiSession, authentication attempt failed: error for request sMG7XBE.Xq: UNAUTHORIZED: The request could not be completed. The session is not authorized or the credentials are invalid, caused by: error for request : UNHANDLED: UNAUTHORIZED: The request could not be completed. The session is not authorized or the credentials are invalid)
→ seems like controller authentication fails
Notes:
-
On the client machine, both router and controller certs are trusted.
-
Behavior differs between CLIs: router vs. controller trust issue.
Has anyone encountered this with self-hosted Ziti + Zrok? Could this be a cert chain issue or an API session problem?
Thanks!