I am trying to set up a local OpenZiti stack using Docker Compose on a VM. My goal is to use it within my local home network. I am facing persistent connection issues where the Windows Client enrolls successfully but fails to connect to the Edge Router. I am using the simplified docker compose from quickstart guide that deploys a Controller, one edge router and admin console. The stack is deployed on a Ubuntu VM. Right now I am trying to get it running in the same subnet VLAN but so far I have no luck.
The Issue: After a fresh docker compose down -v and up -d, I can create an identity and enroll it on the Windows PC. However:
The Identity never shows "Connected" to the Edge Router in the ZAC Visualizer and is offilne.
I cannot access the hosted service.
Browser Check: I can reach https://ziti.vorcakhome.casa:1280 via Chrome on the Client PC (I get the JSON response after accepting the untrusted self-signed certificate warning).
Ziti Desktop Logs: Show repeated invalid_grant and UNAUTHORIZED errors.
What I have tried so far:
Full reset of the stack (down -v).
Verified Timezone sync (Host, Containers, Client are all matching).
Manually installed the Controller's Root CA into the Windows Trusted Root Store.
Verified Policies: Created an Edge Router Policy allowing #all endpoints to #all routers.
Verified Router configuration: Advertised address is set to the FQDN (tls:ziti.vorcakhome.casa:3022), not localhost.
I am including logs from ziti desktop edge where i started it for 10 seconds (so the file is not too big). I am also including the docker compose I am using and .env file. Sadly i don't have complete access to my server right now but i will try all the things on the weekend when i get home. I could theoretically get logs from docker which were generated when i was trying to get it running. Thank you for help in advance openziti_troubleshooting.zip (17.6 KB)
thanks for the zip/logs! Have you possibly created an auth policy and added your user to that auth policy? You also do not need to do this at all: "Manually installed the Controller's Root CA into the Windows Trusted Root Store." In fact, if you down/up it'd be easy to forget that you did that so i could see that causing confusion some day!
Could you share the process you're using to enroll the identity? Are you using "by jwt" or "by url" etc.
My guess is you made an auth policy, and put your identity into that policy, but you can't auth to the controller. Because you can't auth to the controller you can't get the list of routers, and that's why your ZDEW doesn't connect to the router...
sorry for responding so late i had no access to my lab for 2 weeks. What i did was create a Identity trough ZAC. I used default auth policy that was already there when i deployed the docker stack. Then i created 2 configs which i assigned - one intercept.v1 where i put port 443 and address whoami.vorcakhome.casa (whoami hosted on a different vm for testing) and one host.v1 pointing to ip and port where the whoami is hosted. Then i created a service with these two configs.
After that i created a dial policy with the service and my identity asigned to it. I also created a bind policy with the service and my router asigned to it.
Then I downloaded the idenity jwt, put it into ZDEW and ran into the issue i described.
forget the current identity from Ziti Desktop Edge for Windows (ZDEW)
stop ZDEW using the big green button on the UI
clear your logs: C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service
turn on the ZDEW
make an identity using zac/ziti cli
download the jwt
enroll the jwt
send the logs here via DM or somehow and I'll have a look
to be totally honest, I think this is probably just a thing that happened when you were getting going. A stale identity or something along those lines. It could be an 'advertised address' problem but the logs should have some more details after this test.