Let's Encrypt on Controller

I have setup a controller using the quickstart and everything was going well until I attempted to switch over to Let’s Encrypt certificates. Generating the certs and all other parts went fine, the issue I’m having is in following Using Public CA Certificates | OpenZiti. The controller comes up and works but the ziti-router comes back with “bad certificate” being served on port 6262. Using the same cert on nginx works fine. Feels like I missed something :face_with_monocle:

The reason I need this is because I get an x509 error for the self-signed because I’m also running self-hosted zrok on another server (also working except for the self-signed complaints) and when I go to share from my mac I get the unknown authority cert errors hitting the controller on port 1280 (also tried putting that behind nginx on 443 with the wildcard but then the sdk didn’t recognize it)

Hi @lombardoja, welcome to OpenZiti and to the community!!! :stuck_out_tongue:

Port 6262 is the default port for the control plane of OpenZiti. The certificate delivered via that port will come from the identity.server_cert section of the config file. I think you’ll want that server_cert to remain the one deployed during the quickstart. Did you perhaps change that cert? You can probe the certificate using openssl: openssl s_client -connect ec2-3-134-108-218.us-east-2.compute.amazonaws.com:8440 | openssl -x509 -text (that uses a controller of my own if you want to try it, or replace with your controller). That certificate will want to be from the pki the quickstart established. I’d start there.

We’ve had a busy day of zrok today, and thanks for trying to stand up your own zrok instance that’s exciting! I’m travelling tomorrow but hopefully @qrkourier will see your post and fill in any gaps I have. I want to go through the same process as you, but I’ve not had a chance to do it myself yet.

As with most things, it’s probably some small configuration issue. I’m sure we’ll figure it out though.

Happy to see you in the community!

That was absolutely it! I mistakenly edited the identity instead of the web section :crazy_face:.

1 Like

Now that this is working and ziti-router is good, this causes an issue in zrok for me. Opened a new thread in zrok: Zrok Controller certificate error when using public CAs on openziti controller