Letsencrypt certificates

Support General Questions
1

Hi,

I've a domain name example.com. I want to use *.lan.example.com to access services behind Ziti overlay.

From the few researches I've done on the doc + on this forum, it looks like I just need to provide the certificate + key on the controller config under web.identity where I've the edge-client and edge-oidc bindings.

The controller config would look like :

web:
  - name: public-apis
    bindPoints:
      - interface: 0.0.0.0:1280
        address: <FQDN>:1280
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
      #alt_server_certs: <ADD CERT + KEY HERE  !!>
      #- server_cert: "" 
      #  server_key:  ""

    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-oidc
        options: { }
      - binding: edge-client
        options: { }

  - name: dark-apis
    bindPoints:
      - interface: 0.0.0.0:1280
        address: 127.0.0.1:1280
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"

    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      - binding: fabric
        options: { }
      - binding: zac
        options:
          location: /ziti-console
          indexFile: index.html

But I've also noticed the same commented out configs on the router config and at the top level of the controller config.

v: 3

identity:
  cert:             "router.cert"
  server_cert:      "/ziti-router/router.server.chain.cert"
  key:              "/ziti-router/router.key"
  ca:               "/ziti-router/router.cas"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

Do I need to configure these aswell ?

2

If you want to use alternate certs, make sure you set them up as 'alternate' and allow OpenZiti to maintain it's own PKI still. For example my "zrok" environment uses a controller config like this:

identity:
  cert:        "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-intermediate/certs/ip-172-31-11-231-client.chain.pem"
  server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-intermediate/certs/ip-172-31-11-231-server.chain.pem"
  key:         "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/ip-172-31-11-231-intermediate/keys/ip-172-31-11-231-server.key"
  ca:          "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/pki/cas.pem"
  alt_server_certs:
    - server_cert:  "/data/docker/letsencrypt/live/zrok.clint.demo.openziti.org/fullchain.pem"
      server_key:   "/data/docker/letsencrypt/live/zrok.clint.demo.openziti.org/privkey.pem"

You can see i have letsencrypt certs and you can find the controller at both:

It's vital these addresses to not overlap...

As for the router, the alternate certs are only necessary if you want to enable BrowZer. OpenZiti's 'no client install', zero trust http client. For that you will need to have a "web socket enabled" router with a an "edge" binding using "wss":

  - binding: edge
    address: wss:0.0.0.0:8505
    options:
      advertise: wss.zrok.clint.demo.openziti.org:8505
      connectTimeoutMs: 5000
      getSessionTimeout: 60

If you aren't using BrowZer, it's not vital. OpenZiti will always use it's internal PKI.

1 Like
3

So I just need to provide the alternate cert under web.identity where I've the edge-client and edge-oidc bindings, right ?

4

Yes.

[I have to add more letters because Discourse requires 20 or more characters to make a response.. lol]

1 Like
5

...or the web console (ZAC) that can be configured in the ziti controller.