From the DMZ 2 server, can you issue an openssl s_client -connect dmz1.server1:port | openssl x509 -text and can you confirm the certificate that's returned matches that advertised link? From our other conversation:
Identity Enrollment Uses Local Hostname and not External Hostname - #4 by TheLumberjack the relevant section is the "link listeners" from:
And routers at:
ctrl -> endpoint
link -> listeners -> advertise
listeners -> address
The router in dmz 2 will reach out to the router in dmz 1 based on that "link -> listeners -> advertise" field.
When setting up the routers, that's another field that's easy to miss. It's generally controlled by the ZITI_ROUTER_ADVERTISED_ADDRESS variable when running the quickstart.
It should look something like this:
link:
dialers:
- binding: transport
listeners:
- binding: transport
bind: tls:0.0.0.0:10080
advertise: tls:ec2-3-142-245-63.us-east-2.compute.amazonaws.com:10080
Is that advertise address correct and when you issue the openssl connect request, does the DNS sans returned have this value? Example mine looks like this:
X509v3 Subject Alternative Name:
DNS:localhost, DNS:ec2-3-142-245-63.us-east-2.compute.amazonaws.com, DNS:ip-172-31-11-231, IP Address:127.0.0.1