Linux Ziti Tunneler Add Identity Failed

Tunneler Apps Ziti Edge Tunnel
1

Hello,
I followed the Docker Compose Quick Start guide and I currently have the network setup correctly it seems. From there, I wanted to evolve it with the Your First Service - Zero Trust Host Access guide that seems almost natural from it, as you already have everything set up.

I found myself stuck in adding an identity to the Ziti Tunneler, so pretty much at the start of it. Basically, I just start up Docker Compose, exec into the Controller, did ZitiLogin and create a .jws enrollment token with the suggested command:

ziti edge create identity user http-client -a 'http-clients' -o http.client.jwt

From this point, on my host machine, which it is Ubuntu, I downloaded the tunneler doing:

curl -sSLf https://get.openziti.io/tun/scripts/install-ubuntu.bash | bash
sudo systemctl enable --now ziti-edge-tunnel.service

At this point, I just needed to load the token created from the controller and typed the command (where that .jws file it is the one generated from the Controller):

sudo ziti-edge-tunnel add --jwt http.client.jwt --identity httpServerConnection

But I got this error:

failed to connect: -111/connection refused

I then tried to run the above command again while the tunner it is running, and got another type of error:

received response <{"Success":false,"Error":"config directory not set","Code":500}>

I tried looking into the web, but the only thing I found, was the OpenZiti troubleshooting section, which, indeed has also this exact error listed, and explained it could happend when running the tunneler both as root and not, something that I think I did. So as it suggested, I deleted the ".ziti" folder and tried again, but it seems to not have worked, but I don't know, maybe I have missed something.

This, seems a really "easy" issue, as it should not be related to all the Docker Compose running and the network created, if I understood it correctly. The tunneler it is another application, running on my host machine, the only link it is that token, which at this point, maybe that's the problem?

Just because it could help, I leave the output of the Tunneler running:

sudo ziti-edge-tunnel run
(502004)[        0.000]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=3/INFO
(502004)[        0.000]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting at (2024-05-28T21:57:53.360)
RTNETLINK answers: File exists
(502004)[        0.000]   ERROR ziti-edge-tunnel:utils.c:31 run_command_va() cmd{ip route add 100.64.0.0/10 dev ziti1} failed: 512/0/Success

(502004)[        0.000]    INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v0.22.29-local)
(502004)[        0.000]    INFO tunnel-cbs:ziti_dns.c:164 seed_dns() DNS configured with range 100.64.0.0 - 100.127.255.255 (4194302 ips)
(502004)[        0.000]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1642 make_socket_path() effective group set to 'ziti' (gid=998)
(502004)[        0.128]    INFO ziti-edge-tunnel:resolvers.c:68 init_libsystemd() Initializing libsystemd
(502004)[        0.138]    INFO ziti-edge-tunnel:resolvers.c:356 try_libsystemd_resolver() systemd-resolved selected as DNS resolver manager

Thank in advance to everyone.

2

Hi @Pentagon2442,

One thing that's not obvious some and easy for people to miss is this small note about "using docker locally" from the docs...

The docker compose quickstart will start you off with a full network, but it sort of expects you to be doing things "in the docker network" and when you move outside the docker network, well you need to make sure the docker hostnames are resolvable from outside that docker network. You could do that "the easy" way (and the way that's easiest to forget probably) by using your hosts file, or if you have a home DNS setup, you can add custom records to your name server.

My guess is that your tunneler, running outside docker, can't connect to the controller or edge router because ziti-edge-controller and ziti-edge-router aren't addresses that are set up yet.

I expect that's why you can't enroll your .jwt.

Can you double check that you read that section and it makes sense? I think that might be the issue.

3

Hey @TheLumberjack , I think you were on point. Thanks for the fast answer as always.
I tried within Docker Compose and I can ping the host names, I then tried from my local machine and I can ping their IP address, but not their hostname. I proceeded to add them to the hosts file on ubuntu after they could be resolved, great.

So I tried again, but no luck. I tried to stop the tunneler, also restart the service with:

sudo systemctl enable --now ziti-edge-tunnel.service

Try to add the token again, but same exact error. Maybe some other names need to be resolved for the token to be added? I just set the two suggested by you.

I also check the time, token expires the:

Enrollment expires at 2024-06-04T19:45:38.100Z

And the Controller date is:

Wed May 29 06:13:11 UTC 2024

So it should not be a problem of timing, I think either.

4

Could you try to enroll the token manually instead?

ziti-edge-tunnel help enroll
ziti-edge-tunnel enroll: enroll Ziti identity
usage: ziti-edge-tunnel enroll -j|--jwt <enrollment token> -i|--identity <identity> [-k|--key <private_key> [-c|--cert <certificate>]] [-n|--name <name>]

        -j|--jwt        enrollment token file
        -i|--identity   output identity file
        -k|--key        private key for enrollment
        -c|--cert       certificate for enrollment
        -n|--name       identity name

So you would:

  • stop your tunneler
  • ziti-edge-tunnel enroll \
    -j ./path/to/jwt \
    -i /opt/openziti/etc/identities/id.name.here.json

that should probably print out some information that's easier to understand and share here. There should also be some logging that points the the issue in the log if you could find it, but enrolling manually often spots the problem easier imo.

5

Thanks for the reply.

I did as suggested, together with a complete reboot of the Docker Compose, just in case. So with also new token and everything.

Following your suggestion seems to gave no error. Here it is the output:

openzitidockercompose@OpenZitiDockerCompose:~/Desktop$ sudo  ziti-edge-tunnel enroll -j http.client.jwt -i http_test_identity.json
(242193)[        0.000]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=3/INFO
(242193)[        0.000]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting at (2024-05-29T10:40:31.633)
(242193)[        0.000]    INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting enrollment at (2024-05-29T10:40:31.633)
openzitidockercompose@OpenZitiDockerCompose:~/Desktop$ ls
http.client.jwt  http_test_identity.json  OpenZiti

From here what to do? Can I simply run the tunneler or do I have to do something else in order to add the identity to the tunneler, before going on with the steps?

Thanks.

6

Well that's good. You now either need to move the json that was written into the identities directory and restart the tunneler, or you need to start the tunneler with a path to that Identity... It's easiest to just move the identity into the identities dir and restart the tunneler.

After that, try to access the service and if it fails, check the logs and post the logs here for me to review (if the issue isn't obvious)

7

From this point, I haven't received any errors, I have finished the listed bullet points in the guide, but it does not seems to work. Here some of the output, maybe I am missing something.

This is from main host, it does not resolve the name, maybe I need to add some more address to the hosts file? Currently I have only the Router and the Controller:

$ curl http.ziti
curl: (6) Could not resolve host: http.ziti

Output from the tunneler:

$ sudo  ziti-edge-tunnel run
(274440)[        0.000]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=3/INFO
(274440)[        0.000]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting at (2024-05-29T11:09:58.349)
RTNETLINK answers: File exists
(274440)[        0.000]   ERROR ziti-edge-tunnel:utils.c:31 run_command_va() cmd{ip route add 100.64.0.0/10 dev ziti1} failed: 512/0/Success

(274440)[        0.000]    INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v0.22.29-local)
(274440)[        0.000]    INFO tunnel-cbs:ziti_dns.c:164 seed_dns() DNS configured with range 100.64.0.0 - 100.127.255.255 (4194302 ips)
(274440)[        0.000]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1642 make_socket_path() effective group set to 'ziti' (gid=998)
(274440)[        0.037]    INFO ziti-edge-tunnel:resolvers.c:68 init_libsystemd() Initializing libsystemd
(274440)[        0.038]    INFO ziti-edge-tunnel:resolvers.c:356 try_libsystemd_resolver() systemd-resolved selected as DNS resolver manager

Commands given into the controller:

ziti@e2ab5d42f2f6:/persistent$ ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
New config http.intercept.v1 created with id: gf6I4PCqh3ujIXjjb4Ymw
ziti@e2ab5d42f2f6:/persistent$ ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"'"${web-test-blue}"'", "port":8000}'
New config http.host.v1 created with id: 1EfQ1Dnvb1BIP2UBzVOcVJ
ziti@e2ab5d42f2f6:/persistent$ #5. Create a service to associate the two configs created previously into a service.
ziti edge create service http.svc --configs http.intercept.v1,http.host.v1
New service http.svc created with id: 7NkXfYANG2wP2Qqt8LkaeF
ziti@e2ab5d42f2f6:/persistent$ #6. Create a service-policy to authorize "HTTP Clients" to "dial" the service representing the HTTP server.
ziti edge create service-policy http.policy.dial Dial --service-roles "@http.svc" --identity-roles '#http-clients'
New service policy http.policy.dial created with id: 7ST1scI0cQeTeg9UC93p9i
ziti@e2ab5d42f2f6:/persistent$ #7. Create a service-policy to authorize the "HTTP Server" to "bind" the service representing the HTTP server.
ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles "@ziti-private-blue"
New service policy http.policy.bind created with id: 5RIn4yDnK7z0X2HOabpr1u

Some output from the main Docker Compose running terminal. The last successful 200 was from a Ziti Router inside Docker, just to ensure the server was still up and running (and it was):

ziti-private-blue-1               | [14485.078]    INFO ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange: {service=[http.svc]} adding service
ziti-private-blue-1               | [14485.078]    INFO ziti/tunnel/intercept.(*ServiceListener).addService: {serviceName=[http.svc] serviceId=[7NkXfYANG2wP2Qqt8LkaeF]} Hosting newly available service
ziti-private-blue-1               | [14485.078]    INFO ziti/router/xgress_edge_tunnel.(*fabricProvider).establishTerminatorWithRetry.func1: {service=[http.svc]} attempting to establish terminator
ziti-controller-1                 | [14489.306]    INFO ziti/controller/handler_edge_ctrl.(*createTunnelTerminatorHandler).CreateTerminator: {serviceId=[7NkXfYANG2wP2Qqt8LkaeF] service=[http.svc] routerId=[ZvI0NtGbB] terminatorId=[3gbFBx8biGQblCyQ8EaiWH]} created terminator
ziti-controller-1                 | [14489.306]    INFO ziti/controller/handler_edge_ctrl.(*createTunnelTerminatorHandler).CreateTerminator: {routerId=[ZvI0NtGbB] terminatorId=[3gbFBx8biGQblCyQ8EaiWH] elapsedTime=[52.916901ms] serviceId=[7NkXfYANG2wP2Qqt8LkaeF] service=[http.svc]} completed create tunnel terminator operation
ziti-private-blue-1               | [14485.138]    INFO ziti/router/xgress_edge_tunnel.(*fabricProvider).HandleTunnelResponse: {sessionId=[clwrq3ulv0b690bqlpdqm6edl] routerId=[ZvI0NtGbB] terminatorId=[3gbFBx8biGQblCyQ8EaiWH]} received new session
ziti-private-blue-1               | [14485.138]    INFO ziti/router/xgress_edge_tunnel.(*fabricProvider).HandleTunnelResponse: {routerId=[ZvI0NtGbB] terminatorId=[3gbFBx8biGQblCyQ8EaiWH] createDuration=[61.417064ms]} received terminator created notification
ziti-controller-1                 | [14520.067]    INFO ziti/controller/network.(*RouterMessaging).sendTerminatorValidationRequest: {terminatorId=[3gbFBx8biGQblCyQ8EaiWH]} queuing validate of terminator
ziti-private-blue-1               | [14515.892]    INFO ziti/router/handler_ctrl.(*validateTerminatorsV2Handler).validateTerminators.func1 [ch{ctrl}->u{reconnecting}->i{QNVQ}]: {terminatorId=[3gbFBx8biGQblCyQ8EaiWH]} validating terminator
web-test-blue-1                   | [::ffff:192.168.96.5]:57512: response:200
8

Ok. we are getting closer. let's now check that your identity has the correct access by running policy-advisor. Can you run:

ziti edge policy-advisor identities -q

and share the output for your "http_test_identity" you made? Does it have "dial Y" privs and do you see "OKAY" for that identity?

If you see OKAY and dial=Y, then I admit I don't use the ziti-edge-tunnel for linux as my daily tunneler so I'm not as well-versed in fixing the DNS-related issues like this one, but let's probe the name server that is providing the DNS answers directly by using dig. By default, it should be on 100.64.0.2. So this should return an IP, but I'm sure it doesn't yet. But let's make sure it doesn't.

dig @100.64.0.2 http.ziti
9

Here it is the output from the controller:

$ ziti edge policy-advisor identities -q
ERROR: ziti-fabric-router-br 
  - Identity does not have access to any services. Adjust service policies.

ERROR: ziti-edge-router-wss 
  - Identity does not have access to any services. Adjust service policies.

ERROR: ziti-edge-router 
  - Identity does not have access to any services. Adjust service policies.

ERROR: http-server 
  - Identity does not have access to any services. Adjust service policies.

OKAY : ziti-private-blue (3) -> http.svc (5) Common Routers: (3/3) Dial: N Bind: Y 

ERROR: ziti-private-red 
  - Identity does not have access to any services. Adjust service policies.

OKAY : http-client (2) -> http.svc (5) Common Routers: (2/2) Dial: Y Bind: N 

ERROR: Default Admin 
  - Identity does not have access to any services. Adjust service policies.

The identity created should be the "http-client" one, which it does say OKAY and Dial:Y.

While this is the output of the Dig, not sure how to read it, never used that command:

$ dig @100.64.0.2 http.ziti

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @100.64.0.2 http.ziti
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 52087
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;http.ziti.			IN	A

;; Query time: 7 msec
;; SERVER: 100.64.0.2#53(100.64.0.2) (UDP)
;; WHEN: Wed May 29 18:20:53 CEST 2024
;; MSG SIZE  rcvd: 38
10

Ok. Looks like I'll need to see your tunneler's logs now. Can you capture the logs from the tunneler and send them to me? Maybe via email to clint @ openziti.org ?

We need to look through your tunneler to make sure that identity is active. It seems like it's not something isn't working for some reason. :frowning:

I'll poke another person or two to see if they have any thoughts too

11

Sure! How would you like me to capture the logs?

12

Just another thing, I am playing around with commands, I run this:

$ sudo  ziti-edge-tunnel tunnel_status
received response <{"Success":true,"Data":{"Active":true,"Duration":16027,"StartTime":"2024-05-29T16:33:24.376864Z","Identities":[],"IpInfo":{"Ip":"100.64.0.1","Subnet":"255.192.0.0","MTU":65535,"DNS":"100.64.0.2"},"LogLevel":"info","ServiceVersion":{"Version":"v0.22.29","Revision":"local","BuildDate":"Fri-04/26/2024-15:38:49-UTC"},"TunIpv4":"100.64.0.1","TunIpv4Mask":10,"AddDns":false,"ApiPageSize":25},"Code":0}

is it normal that no identity it is shown?

Moreover, if I do the dump of identities, I get the same error as when I initially created this post. I don't know, maybe that's the root cause? Maybe another wrong DNS that I have to manually dial in?

$ sudo  ziti-edge-tunnel dump
failed to connect: -111/connection refused

And here it is the debug mode of the tunneler, while I wait for instruction. This is the output produce when I try to curl http.ziti:

(622080)[      310.702]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:54408] service[ziti:dns-resolver]
(622080)[      310.702]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(622080)[      310.702]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:54408] service[ziti:dns-resolver]
(622080)[      310.702]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:54408] service[ziti:dns-resolver]
(622080)[      310.702]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:54408] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
(622080)[      310.703]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:56339] service[ziti:dns-resolver]
(622080)[      310.703]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(622080)[      310.703]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:56339] service[ziti:dns-resolver]
(622080)[      310.703]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:56339] service[ziti:dns-resolver]
(622080)[      310.703]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:56339] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:58437] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(622080)[      310.704]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:58437] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:58437] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:58437] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:33475] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(622080)[      310.704]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:33475] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:33475] service[ziti:dns-resolver]
(622080)[      310.704]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:33475] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
13

Hi,

Since you're running ziti-edge-tunnel as a systemd service, the logs will be in the systemd journal. So you can get the logs with journalctl:

journalctl -u ziti-edge-tunnel.service > zet.log 2>&1
14

Thanks for sending the logs that are emitted when you are attempting to connect to "http.ziti" with curl. Could you please send the complete logs from ziti-edge-tunnel (including the messages that are logged when it starts)?

15

There seems to be no log, some kind of privileges issue here?

$ more zet.log 
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal' can see all messages.
      Pass -q to turn off this notice.
-- No entries --
16

Here it is the output from the start:

$ sudo  ziti-edge-tunnel run
[sudo] password for openzitidockercompose: 
(662698)[        0.000]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=3/INFO
(662698)[        0.000]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting at (2024-05-29T17:10:54.481)
RTNETLINK answers: File exists
(662698)[        0.000]   ERROR ziti-edge-tunnel:utils.c:31 run_command_va() cmd{ip route add 100.64.0.0/10 dev ziti1} failed: 512/0/Success

(662698)[        0.000]    INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v0.22.29-local)
(662698)[        0.000]    INFO tunnel-cbs:ziti_dns.c:164 seed_dns() DNS configured with range 100.64.0.0 - 100.127.255.255 (4194302 ips)
(662698)[        0.000]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1642 make_socket_path() effective group set to 'ziti' (gid=998)
(662698)[        0.025]    INFO ziti-edge-tunnel:resolvers.c:68 init_libsystemd() Initializing libsystemd
(662698)[        0.025]    INFO ziti-edge-tunnel:resolvers.c:356 try_libsystemd_resolver() systemd-resolved selected as DNS resolver manager
(662698)[      169.795]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:662 on_cmd() received cmd <{"Command":"SetLogLevel","Data":{"Level":"DEBUG"}}
>
(662698)[      169.795]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=4/DEBUG
(662698)[      169.795]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:398 process_tunnel_commands() Log level is set to DEBUG
(662698)[      169.795]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:226 on_command_resp() resp[1,len=25] = {"Success":true,"Code":0}
(662698)[      169.795]   DEBUG ziti-edge-tunnel:instance-config.c:131 save_tunnel_status_to_file() Deleted backup config file /var/lib/ziti/config.json.backup
(662698)[      169.795]   DEBUG ziti-edge-tunnel:instance-config.c:134 save_tunnel_status_to_file() Copied config file to backup config file /var/lib/ziti/config.json.backup
(662698)[      169.795]   DEBUG ziti-edge-tunnel:instance-config.c:156 save_tunnel_status_to_file() Saved current tunnel status into Config file /var/lib/ziti/config.json
(662698)[      169.796]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:647 on_cmd() received from client - EOF. Closing connection.
(662698)[      169.796]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:659 on_cmd() IPC client connection closed, count: 0
(662698)[      179.448]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:39951] service[ziti:dns-resolver]
(662698)[      179.448]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(662698)[      179.448]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:39951] service[ziti:dns-resolver]
(662698)[      179.448]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:39951] service[ziti:dns-resolver]
(662698)[      179.448]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:39951] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
(662698)[      179.448]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:39989] service[ziti:dns-resolver]
(662698)[      179.448]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(662698)[      179.448]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:39989] service[ziti:dns-resolver]
(662698)[      179.448]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:39989] service[ziti:dns-resolver]
(662698)[      179.448]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:39989] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
(662698)[      179.461]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:37746] service[ziti:dns-resolver]
(662698)[      179.461]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(662698)[      179.461]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:37746] service[ziti:dns-resolver]
(662698)[      179.461]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:37746] service[ziti:dns-resolver]
(662698)[      179.461]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:37746] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
(662698)[      179.462]   DEBUG tunnel-sdk:tunnel_udp.c:269 recv_udp() intercepted address[udp:100.64.0.2:53] client[udp:100.64.0.1:50369] service[ziti:dns-resolver]
(662698)[      179.462]   DEBUG tunnel-cbs:ziti_dns.c:234 on_dns_client() new DNS client
(662698)[      179.462]   DEBUG tunnel-sdk:ziti_tunnel.c:221 ziti_tunneler_dial_completed() ziti dial succeeded: client[udp:100.64.0.1:50369] service[ziti:dns-resolver]
(662698)[      179.462]   DEBUG tunnel-sdk:ziti_tunnel.c:434 ziti_tunneler_close() closing connection: client[udp:100.64.0.1:50369] service[ziti:dns-resolver]
(662698)[      179.462]   DEBUG tunnel-sdk:tunnel_udp.c:126 tunneler_udp_close() closing src[udp:100.64.0.1:50369] dst[udp:100.64.0.2:53] service[ziti:dns-resolver]
17

Sorry, can you use sudo when running journalctl?

18

Sorry, my bad also.

openzitidockercompose@OpenZitiDockerCompose:~/Desktop$ sudo journalctl -u ziti-edge-tunnel.service > zet.log 2>&1
openzitidockercompose@OpenZitiDockerCompose:~/Desktop$ more zet.log 
mag 28 19:51:49 OpenZitiDockerCompose systemd[1]: Starting Ziti Edge Tunnel...
mag 28 19:51:49 OpenZitiDockerCompose ziti-edge-tunnel.sh[227499]: NOTICE: no new JWT files in /opt/openziti/etc/identities/*.jwt
mag 28 19:51:49 OpenZitiDockerCompose systemd[1]: Started Ziti Edge Tunnel.
mag 28 19:51:49 OpenZitiDockerCompose ziti-edge-tunnel[227510]: (227510)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:61 load_config_from_file() The
 config file No such file or directory cannot be opened due to /var/lib/ziti/config.json. This is normal if this is a new install or if the config file was remov
ed manually
mag 28 19:51:49 OpenZitiDockerCompose ziti-edge-tunnel[227510]: (227510)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:61 load_config_from_file() The
 config file No such file or directory cannot be opened due to /var/lib/ziti/config.json.backup. This is normal if this is a new install or if the config file wa
s removed manually
mag 28 19:51:49 OpenZitiDockerCompose ziti-edge-tunnel[227510]: (227510)[        0.000]    WARN ziti-edge-tunnel:instance-config.c:98 load_tunnel_status_from_fil
e() Config files /var/lib/ziti/config.json and the backup file cannot be read or they do not exist, will create a new config file or the old one will be overwrit
ten
mag 28 19:51:49 OpenZitiDockerCompose ziti-edge-tunnel[227510]: (227510)[        0.072]   ERROR ziti-edge-tunnel:instance-config.c:136 save_tunnel_status_to_file
() Could not copy config file [/var/lib/ziti/config.json] to backup config file, the config might not exists at the moment
mag 29 08:49:41 OpenZitiDockerCompose systemd[1]: Stopping Ziti Edge Tunnel...
mag 29 08:49:41 OpenZitiDockerCompose systemd[1]: ziti-edge-tunnel.service: Deactivated successfully.
mag 29 08:49:41 OpenZitiDockerCompose systemd[1]: Stopped Ziti Edge Tunnel.
mag 29 08:49:41 OpenZitiDockerCompose systemd[1]: ziti-edge-tunnel.service: Consumed 8min 46.219s CPU time.
-- Boot 3090a1a9ebbd40d28bd4cea138360b90 --
mag 29 08:51:45 OpenZitiDockerCompose systemd[1]: Starting Ziti Edge Tunnel...
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel.sh[785]: NOTICE: no new JWT files in /opt/openziti/etc/identities/*.jwt
mag 29 08:51:45 OpenZitiDockerCompose systemd[1]: Started Ziti Edge Tunnel.
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel[788]: (788)[        0.000]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=3/INFO
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel[788]: (788)[        0.000]    INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v0
.22.29-local)
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel[788]: (788)[        0.000]    INFO tunnel-cbs:ziti_dns.c:164 seed_dns() DNS configured with range 100.64.0
.0 - 100.127.255.255 (4194302 ips)
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel[788]: (788)[        0.000]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1716 run_tunneler_loop() Loading id
entity files from /opt/openziti/etc/identities
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel[788]: (788)[        0.000]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1642 make_socket_path() effective g
roup set to 'ziti' (gid=998)
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel[788]: (788)[        0.016]    INFO ziti-edge-tunnel:resolvers.c:68 init_libsystemd() Initializing libsyste
md
mag 29 08:51:45 OpenZitiDockerCompose ziti-edge-tunnel[788]: (788)[        0.016]    INFO ziti-edge-tunnel:resolvers.c:356 try_libsystemd_resolver() systemd-reso
lved selected as DNS resolver manager
19

Ok, are there any json files in /opt/openziti/etc/identities? It looks like there aren't any. The json files represent enrolled identities, and they tell ziti-edge-tunnel which controller to connect to for service configuration.

20

Here it is the content of the default path:

$ sudo cat /opt/openziti/etc/identities/http_test_identity.json
{
	"ztAPI":"https://ziti-edge-controller:1280",
	"id":{
		"cert":"-----BEGIN CERTIFICATE-----\nMIIDqDCCAZCgAwIBAgIDBnRYMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNVBAYTAlVT\nMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5ldEZvdW5kcnkxEDAOBgNV\nBAsTB0FEVi1ERVYxIjAgBgNVBAMTGXppdGktc2lnbmluZy1pbnRlcm1lZGlhdGUw\nHhcNMjQwNTI5MTEwMTA4WhcNMjUwNTI5MTEwMjA4WjBCMQswCQYDVQQGEwJVUzEL\nMAkGA1UECBMCTlkxETAPBgNVBAoTCE9wZW5aaXRpMRMwEQYDVQQDEwplTWJHMkFv\nUlFWMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvpt9Rtusrr0T5Y/ewuQLPO0q\npOlMY6osUzAEnlBK6/z24xnF4nitxktTtW8FWLbo8sY80+8d8bhbT4FG8eAy46NI\nMEYwDgYDVR0PAQH/BAQDAgSwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQY\nMBaAFM84NzTQ9KojSgFXoSGKBQupgfoiMA0GCSqGSIb3DQEBCwUAA4ICAQAad3KL\n5QrK7ZEpf7OWUK1ljT5NJFjCGjvHhXYBl02vs3kSZmLa1avrF/o89qdsfFAiTVHg\nPLb3aYtjNnvnwoLtMkME3PKfkVIuH7zNp7EQIQN6vyLWrt2hhmR4xk4Mfzar/W2E\nmv8YE2rtajMZGhyjCosHIAgS1I1tWuxu1n/11s/eIv9z2U6WKIrqWyuIDJidxIpb\nOrnsvf+DQ1YSDDhfdbG76KbLtLLgbC/wKK+v9C5tyVVN1Ai+K3KMvb7zpkbEhvDn\nsDKKSDsWFjpp+bjbo/SBvqoV3Dyr1vtM1WYf371VGIqUISWyDcbSKsS8Me2VqyWv\nnWDOLUgfR9MfJb3Mchp7toOqWCun9vzKsP8tO4sSMakQf1PEbf52cFOUreDrmOmq\nwMbxv4tQWvc+2DCsCCrXwT9EjkEaht42JMZSOV3df3sm7tJMvt1hwIfzsU0jBkiU\nObnzQbg+hT+uN2qmuySaTXRyqv+ttm+mr8OEw/HiZahf5ch0kbVwMCFXhyeJEREb\nm/5FO9h1rc/KRnfFnwoTWgM9+yj3DC0CrHgoNx6DIBxL+XpeveB42pRGVG9OF9yf\ntBmS171QS3XjburvxV7Ivg4U/MNXWDwNo1pvv+TVJ9jmCfZaczZJk7O0JwWEnMpB\ngUEr46aq1Nej3bBtAX1ur+5jj8BrHeW2lekUrg==\n-----END CERTIFICATE-----\n",
		"key":"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFeod9p+p+TLXsdOCicdpvW/VLPJYuWonKCL5/Ihsjm4oAoGCCqGSM49\nAwEHoUQDQgAEvpt9Rtusrr0T5Y/ewuQLPO0qpOlMY6osUzAEnlBK6/z24xnF4nit\nxktTtW8FWLbo8sY80+8d8bhbT4FG8eAy4w==\n-----END EC PRIVATE KEY-----\n",
		"ca":"-----BEGIN CERTIFICATE-----\nMIIFzDCCA7SgAwIBAgIRAIdd7CGMcUquEl9ltBkFLAowDQYJKoZIhvcNAQELBQAw\nbzELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0\nRm91bmRyeTEQMA4GA1UECxMHQURWLURFVjElMCMGA1UEAxMceml0aS1zaWduaW5n\nLXJvb3QtY2EgUm9vdCBDQTAeFw0yNDA1MjgxOTE0MTVaFw0zNDA1MjYxOTE1MTVa\nMG8xCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5l\ndEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxJTAjBgNVBAMTHHppdGktc2lnbmlu\nZy1yb290LWNhIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\nAQD44KR6XXzHXlWqdwEF5/S1r/3FkdtY4BHxC24jjjdd0csRqeNtskTEG7AeYnGq\nJtFt3oc+3psLQwy7j4kOgVhxzLQA7gaWHELbJH+DqJszuafaONZW8xiItkzh2Nod\nUubE26jV7iKC5yOe3yal780djcTCCtkA58aNfSU3Uuh/k/MSUyX94rYfCPSejJMv\n66/HQ34sEcigbo3Di7zrhIThWzuJxM0X1/SNp4P5R5Fas6+xsBMlm1BnLxGL2qkb\ntW98vlQdZuxa/gYeYqv4LlUCbWmIpkk31fsFRCwzJgzER4fXIkNESTp/ZBLTX/ih\nfjKJVvWCBV1cKXXBfEqfj2UTwgAWo9F79mpFDWMUChXKcdtktMdpjvyXnIyDZSkx\nxkANymuFj+WalhL6/eEt/IULOL6Fit6+LHprXeKssi2XDzpPEPs2d5fzKpG0Ekrv\nOgxzGOa+kggSdY6TUFSHse1ETss4GNBFy7x4quPv5EfChucWCd4Hf5bVH7n2Rh96\nVK+wfwnz0GmrbvrPSlOmz1hSOl1Dkm/r4fnvkXqQd1bTLmnnT6ib5po5M001khlg\nIYKkVIc2eSSMRK3xj2lKNi/D+CJQTNAkva41VMREn00iPou1mkQtfnMLCEoG0aD+\nSc4ELGHW5Xpaa/kOo8UtAvTdKgfDS0U192B83lAYnY8IhQIDAQABo2MwYTAOBgNV\nHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnHaVXUM/Pkfs\n+l1CyyIG1nQS2dAwHwYDVR0jBBgwFoAUnHaVXUM/Pkfs+l1CyyIG1nQS2dAwDQYJ\nKoZIhvcNAQELBQADggIBALPqCW5aeEq0aRQMwJJy1XIks+HIBHJFKOkKE5lhNndv\n0YNrd7BvU/EWdFnfIpPS3l2OE/SPK/RqBdE/W8/gvf3UY2WIF/nPBHyTzTEUsvij\n3+bC6cUjnK3nPhae4K0nuJ3mIZP9iwzJ6hQU8d+I0HibjDbWjtEakcxHu2Wo+XtD\nG6MLWsdnhjLKGRWFugyBMjBlRX9r0rOyHdNFA7I1yIuUpt/N+epLIQIwnKM5s7Qv\nqmaw90wtL8zGwX2mHYMbXAXD3Z2g6kgNeoibPe8XB1P3VEfB5OfuREH0EhCuBqMI\nYEgVzhQkoQ+y19ZkKdSWRl/pNVprPX7kYoTMy8WCeCwj4XZgHq5dv7p9zouscNlP\nr+wKp/i4n9wDjfNLemYYx9bxww5zLvxQBjIkW93HAByLUkcVXmINRXacAZQzsxLe\ntqu7/ToUWzz2HVFZ7dNZDwv2BtHQ3fEKCRk744MldVBrZ7y71e7s9xZahQVRl4FE\nwlhsVn6apSSPRC5z17FsHlurxcDbIGmE/DSEBw8AgBSTuU1KP1XPwm5uMmKf1+3V\nyKf6W+axB2ZWGL4lqihj3YRiylQGuC9XpXYiGDRwJZFBXag3gP/mm8Twi51rcoyA\n8WI8NDdmQ4vI/oU2/2/D3M6/SPKQ8bHIgtr/taIrneYhVzZWM1gLNNrLtr6mmKK2\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIF4zCCA8ugAwIBAgIRAOoD3WXoXPR5L8TYN8klR/MwDQYJKoZIhvcNAQELBQAw\ngYUxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5l\ndEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxOzA5BgNVBAMMMnppdGktc2lnbmlu\nZy1pbnRlcm1lZGlhdGVfZ3JhbmRwYXJlbnRfaW50ZXJtZWRpYXRlMB4XDTI0MDUy\nODE5MTQzNVoXDTM0MDUyNjE5MTUyOFowbDELMAkGA1UEBhMCVVMxEjAQBgNVBAcT\nCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4GA1UECxMHQURWLURF\nVjEiMCAGA1UEAxMZeml0aS1zaWduaW5nLWludGVybWVkaWF0ZTCCAiIwDQYJKoZI\nhvcNAQEBBQADggIPADCCAgoCggIBAMk00gErbtn9RxHswfIO1HPpB698DzVDdfD5\nEve8UEg/dbFeuaukocyonpV6vcwdWB4FHp7IXc6TuZm1rWshznZXReV/WXVI5FFM\nkbNNTRhTJUKOFJjSrDeD2bqOBjiEx9AG4Z2qCZJfBu3K+rWGxdxICGR8sS4+kQIp\npFq1f0SWnOWKnSKl7AvNHmTIB88IQ5X0RQLEBsalMpDOr9cVWw+Eh/J+AQw81YI5\nJ82S7Royjip3vUC+sf9uQEqhsn6/+BvAqUcTVLT7tDPlXsMB82YDBrv6H3HW3oG6\nZqkTnVg+TIG75OoTB3B3HnVt9UKvuKE1PJxiT+OkTOUQbjnWi/mO6gioVN01eN27\n9nnwEVwWi8mynmERsB2OxlQe6w2GSFdYpDfDb6bCg5OB9E+36oP1kMb2oOQc+Nwm\nCDrAvb6FMbbn7zXOqnqNT3RPGrX9+7dHHPG5czwmmmPvddQK0JeEb+X1tAPfrVZM\nYqRy8cq7pClcfidPBaH+9S1boqa7fiyTq61kqtyiCQkUygBCtcuLnNEPQrFcpdf7\nr0mWqBP9Lp1+GQhaj2yJFeRy4hk3dGXFgzRLc+/RaHBSNvOe1h+BNwQQGxV+EEsK\nBRE8letAINT7F8S2MSqC0kEjw3HKchIrtrkLZflbDIRqNcehpCEh84yVDcsuElQB\ntcX9dKFJAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/\nAgEBMB0GA1UdDgQWBBTPODc00PSqI0oBV6EhigULqYH6IjAfBgNVHSMEGDAWgBTZ\nnsM0JC70Vic5eDacof7XySHhDDANBgkqhkiG9w0BAQsFAAOCAgEADtGavb8f6U3P\nIaC2YWe+pp8U42wCJ2xW7SBeZbkPX88NM0qkWI1NbR5+bdvkAQY5vpi8s/FWwBTk\nidO9o2CQfcLzdc2Q0GLmpjNJ1UrUttnGULivDRLmfr/7Zdbed80Ej/BHLWeEeGEo\nIAX3n0uUGWz/i18QytN2R6RgeCKUsqTKf3i4Dtz+2R3aAyt5Rf7ROXdfMt8E/4Il\n7LQc/P3stuwqewEVX+Y15fm9aAJXnxpZxMgEpsNhmVQDS146Y9RxY0jEY1YeOiQl\nCmQA/9aS38f+LAPFOZnq7GBUyY2nZaJvuWfnJ1TZqKYK+fZal0o+I48ewssVdehq\nhOOIToWYsPiVIhDlLzIN8OMs3mYyGRpXws7rouB3bk0qxe2bF2vqtXxsdxPOtIRj\ndjWJBEe1Yp96CZ6AaLFc2YDr53DymisTG2oNqTTdy2TQCQFiTAzaH5M0JK7O0jGd\nqj/x9NnRkMDoALjgh00mNehvhqqW+a1jNov/Tb97Wq3lJ6HQhn3+LmXAkM8ieXM7\nQY9ClBuS4zACKnxSjHHi7tNkd3hXjGbD04eMx9pXGtC4ZbOp9rS1P/8rt5Rj5cbJ\nfHoQyhPdTX1edLmLA9i4+ZNGSe66Jx6meyx1FBhsPxpFvFp/d8ASEP3Fi3Mnm2Xk\nMD3jWqtGV4Rv9dfKxc3tMoJIjqs2H6g=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIF5jCCA86gAwIBAgIRALAhRzi0DI6IuNdgKr4s4+EwDQYJKoZIhvcNAQELBQAw\nbzELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0\nRm91bmRyeTEQMA4GA1UECxMHQURWLURFVjElMCMGA1UEAxMceml0aS1zaWduaW5n\nLXJvb3QtY2EgUm9vdCBDQTAeFw0yNDA1MjgxOTE0MjhaFw0zNDA1MjYxOTE1MjVa\nMIGFMQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpO\nZXRGb3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMTswOQYDVQQDDDJ6aXRpLXNpZ25p\nbmctaW50ZXJtZWRpYXRlX2dyYW5kcGFyZW50X2ludGVybWVkaWF0ZTCCAiIwDQYJ\nKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMY/38w/BldUtLffvFPZZ2WszMTAZkxV\nxdiqpC9JK1AQWIrNrx/6fXpSUaKWcbow8d3yZWf3hgAYkJvES64rKCRNJw3n3xA1\n50BM/tX/cGEsQhgQb2uB6m9es6z5i+Auc0vMPCeBZpDpHKR/AFFfkAV37fmaUD2L\nfngcFKlfSMPK7MWuX0O3DsRdIQiNJoifelAvyPe2uZcEP4Ikl0QNxdU8nXioLGld\n2il+8MhCWPCLPp/vDAO7fLKRkZMqQdYTJhsP1gA7YiG76WdnYzwKXCrrSPLydOP4\nMSdEjOPyYbnpgvT5XEp9asBYU2mGuMqByvcMowNIVKeOyn4Z4Ao2ZzAygvH/ywp4\nn3NhlUjzqmIW940eIcyB6XVtEE7MZZ11Eb9nxgFt2DOZgVkXHWjyxsgjsRjGeEql\nXxKrrXpHnBomcjytu3Xu6LbeQnsNcpVgJ0wLLXeDCLQ6bFi0s9mSdJyiIiU267Vf\n5QfdP7wlBZNBmGyDS5X3vXerHjzGRtz/ft22YdSYqipFEIgskcKExNeXR0rncrpB\nN2enP84mf72Bm6t8JGek7Xnq0uICxUs5etmIS6OG0lwS0WFHV7ANInI1uiEYPjwT\nmXwA2rkGB5PcGMnSUk6/ys78Xph5m79/UoBGmDaHVPWriEhdQvCjDSSXCa3TiR4S\ncCyPy0q9BjenAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG\nAQH/AgECMB0GA1UdDgQWBBTZnsM0JC70Vic5eDacof7XySHhDDAfBgNVHSMEGDAW\ngBScdpVdQz8+R+z6XULLIgbWdBLZ0DANBgkqhkiG9w0BAQsFAAOCAgEAi0KzYek3\nBGHP8qyS22SpMxRHgvyX/cl1OWUeUr3tDn/bWAsYdHiHfVayllpV0QBE/CosFTb/\nTDQ/UA/7C//6JWufyr8fS3gAMQBq9kQE0oxVSeFyK+sgyprZabjbxtA7bq6c781i\nY2km+4qAZh6FBuVkQc6+2S3VNjWzfxxChig8HIWWDDMLwMd6NC+oE0DlNrkkuD8M\nKocSxG2y11cFZKeEClJawwATRs91him6Crread/8XHFacVmfo1WdFXxOsfnx+1Zh\n7w68pKo6BcK/+k9JdKg6G02fEznWOTX+G3ozx2lmz/xLIilAbdecQAHBXjSdpooq\n/GCrh6Oj+FEoEyyH3b8VWNio180Nt/eCnxNonHt+E8xIJ08auijDe2gSZ6mRrUgE\ng9nviRmaEPaCw2WasllQx6XgNLshtWdIvSRqBSuzEJUgpn8li5PvSrE+4VXvUm1b\nrX0B5MU2lwiWprSvENseqcIjMBMGs2tcP6cwu5EDAAj8sVaL6lDRIqaYp6cFoCyE\ngxWF9dD2wId2RrrkjTFkWqEf625L1Bcjw9mMdfTs/U+sBj64BSKnBIXPKwttYhn9\nP5Ui0V5b/GWh2O43xzrQf9Qc3GnnIyeSqr8t16jIC8kpWOV/ivcJO+yICKSBK/Ly\nmkJid5hktnWW/kpY0MIWNklExmZjGt+6Kx8=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIF0jCCA7qgAwIBAgIRAP6L3zMAeMKBOWaWYBCbKjwwDQYJKoZIhvcNAQELBQAw\ncjELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0\nRm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEoMCYGA1UEAxMfeml0aS1jb250cm9s\nbGVyLXJvb3QtY2EgUm9vdCBDQTAeFw0yNDA1MjgxOTE0MTBaFw0zNDA1MjYxOTE1\nMDlaMHIxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoT\nCk5ldEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxKDAmBgNVBAMTH3ppdGktY29u\ndHJvbGxlci1yb290LWNhIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\nggIKAoICAQDhEJcKdwPQmk6UPfQNCad94IkVss4/qDbQm/HCSdasuBfkXdThOdIh\npKvUQKpZQyC4obo9GpBu2Jw2YjOu8g2i2eC3brfsLo5rCnK8L0M/ytN4ASktvKBS\nb7HsXP5uKAiIDJH0CFHWQw35BSz7JO3v3A0D7nKx2Iau/bctj/E1xGRLraW9i+m+\nGzVm/cjbcCg2WhnNS3KpXyG2pCqBUbl3bSvyhhIvwGxQLDQGsTuEWENVikGB0neK\nrNB9DzveA6zoS687wAb9ntbBqTZyzz0Df0XnuN3YZYlTvpJwnyKOlf0Ynpb4AB+J\nLr9/Lvpv3nJbdaV3a2vEkDaBIpT7OvDmk6GllUGBTrdT2bcuc8BMJAUAhNi243/j\nDD1wo1k2Kv9/U0XKJIL9eo4CNQXODwgA+MkNiPwuWd2mIq2JOxbhTlErStVFkEk2\nEM2DF4u8ajHdEktw1ZQx/81+EJvVKlHSF4dADRW6TkUaJorr5sCkgRaBPxp59Ciz\n0vp/e/4EVsd6f/smSbLj4i8EdgIpjQ8897Xv09HsXsBz5ddomk13ctKDgwRA246l\nuh5GtJnsRnzbmVUdtRFMxEHsGaMCoE5qPRvd2Fo7GmYee7ytikWfDtLcnwfgd0gk\nyTsQpnt8AG9DNnkIaSE9RQ+tRrWpLhycT3ItjGnRxxLWUcb8RvKO+wIDAQABo2Mw\nYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUAB6r\nVxBxrWKUG1wVYXNv4djxKKUwHwYDVR0jBBgwFoAUAB6rVxBxrWKUG1wVYXNv4djx\nKKUwDQYJKoZIhvcNAQELBQADggIBAILWX7TGgIcBT6kGklt9ubwqbgwGv554ci/0\nY/WdFdmfB9XELQArB7SUDuqoE/qKHmOmt1YRgbgFLiypYiRoVdhKfqdZEGjxycvL\nQ2GQQrU/78iiSkLM/OAV9NxTU55plQ+nuR+ojFYvDjm6N4nMdi3C3npPKLpJKFYB\nWaX+nw5tsLKzit5FLRYbtzsQIJ4EL5my+49hiMwCw6t6pzKwTiMwtYFfaEE8C/v7\nWdUTTScuOh4YfB1bl3rTFeYzIqSCw5YA04c4fKQD634p4rw1jM9ree6ezXJliHX+\nPEZv+nVca8cW3CUbhvPXqGHWz2sQ/O00j4sLK26jiYqtUdU26oyv1Z0/3u8G4bfs\nmFUGpogGvfVWwomhWkwKP+0QqIR8u4XiD1CooUgV9Mr8rOkYoqXyO1LVp+Dx5sv7\nn/uHn6axTJA6TY1WPDdV9GXlYY+xmHgo/zklTPmtYGGM7Pv7y/O6uE/yMvy5nw3l\nBI6FU25XzdXgsnfcTA5pKAEEqR4N0acACS31r+KpnI8WwDrLTcMgOTYwwYuxyzAv\nrmIvCv10jSS9HuQRZxvl89Ef1Zi0U1z3/ZmA8sb8EUql9boTPzny+QnK5fkwI1aT\nMrAVa7IkGiudV9V5yp1k6UkClFh4J9u9x9jxAv1XFfHW7OSndE8qgzURxD4YLEM9\nu3NIuS5Z\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIF2zCCA8OgAwIBAgIQacZiKwtzEmTLfMyc6Zol3jANBgkqhkiG9w0BAQsFADB3\nMQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG\nb3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMS0wKwYDVQQDEyR6aXRpLWVkZ2UtY29u\ndHJvbGxlci1yb290LWNhIFJvb3QgQ0EwHhcNMjQwNTI4MTkxNDE1WhcNMzQwNTI2\nMTkxNTEwWjB3MQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYD\nVQQKEwpOZXRGb3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMS0wKwYDVQQDEyR6aXRp\nLWVkZ2UtY29udHJvbGxlci1yb290LWNhIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQDxmX6wsNykhIXBl04Yqzz+nVf2QxksFkKhzszD5NR3\nRBDjev87HJmJZMrEppTtGj9G9fBTbIMuqRaRk67xTD4HvZmzPaOp5eVAQ4ediAcl\n+Dlpf5Ru2L9cR350ex2ZpgWeuTNm+djgGyWHJp6cCPqcFakHp0WsVi6ur4JIqG+i\n0X4fWi5ZFa4nWlXKJhOuEOnAzfxCWKmqjk8aNnNijnd7SvC9vxXH4ndbbLARxO3M\nBFcCYuw9tme2HeR5/aUoAbWTG9VRj8g9RBJnnrC46qQKnyonsA62Na7fZ2Hqscis\n3uBmeO9e+K1MLf4u+z00nq1R6ywaHyyJ+oWwBOhrfSXxiw8h/gs0L59dY3TAdZha\nZmI+imqMtTNWs/BZyov+jTwwD13HYkenSRzO1cWZL4oJ9Wl2RzPETw8YgRlxCH0A\nQMvwoeuXZC83Y4vUyTSvy5EoJMyyanCep+4L5owSul3Jk9NUeYIK1/2TsFTpi4Jk\n6ghR5s4jpupvUZhFlKUyXnugOA3wULffQ+EECSaem0zE7bhj6590wBeWqXMDCysv\nY83XJoq/LKRfiiZxMqcJeR+FfzwMZsc9UI4hRvgwFzitfLFgKIXYb+IA0NhjHp2S\nkSURoAqRQKm9pg63UHnmtv74A9Kz4lEFKxHqVT8ZX6uB5WTkm7luhFwHEa9S3tJS\nHQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV\nHQ4EFgQU+bXHpV5fXWUSZ4LUosLijGDX12cwHwYDVR0jBBgwFoAU+bXHpV5fXWUS\nZ4LUosLijGDX12cwDQYJKoZIhvcNAQELBQADggIBAGc7v3Dgsp9SUppYLeW5nYqa\nazFoExmfVJh4uYQaNou60F99fnNSupoljabectMn/5OiAk86GVDwvsa7aeieTCwW\nSkhNaU8qpRYgeVfbta4oM2dogXUG74wRqthXZHvhOreGWIX8dFdmb3hLOqKiJW21\n/kNKv0Ufg0BBJInSTnGyQ4iXT74SH49UvnP/wuUBk/hpzFsFFSj9Evi/djqAjmr1\nYbB1LSTEMwYy0irGMkzQKNqryexMrW+BZPEdSof1pSChHXO6mC0q7qyuyuXOiqGi\n+UGRPuNLSnIV1NmFrBnG/8U7X7DRxS68l1n0hgdo4M/+sNk1bKDBEYy4IRsUnutj\nTbTgKPJXaRAu6wgxC5HlEbye18DJGiZ3tcu7/S+9Bel8Hqc+E17YgCGUxgXJ1VI4\nBcClWUX9RRYLIoKsgkJ1PvhGvJyOpsMrM+f3oUPHJuvB72u8CHna/547X1t3KkBL\nuaDdwr70+/81SFbE6hAtWMXvY23w5rjzjMwEiv3ac8Bqq0mPppd2Sv1JvEKda+lS\noQwjZcOdmp5rDEVmkt1pYKBamrtkcOGgcPzA3XtAkbkZvhLinFMcRMT+SKXtqK98\nH5X8Bff6LCOlUQIyYrUQo5k18eatIoEHCVEO+3NPQRotp76MHEEOIAo+0Py32X5d\npecAMVrOooG/VqVRQhdq\n-----END CERTIFICATE-----\n"
		}
	}