Problem to deploy identity Centos 7

Tunneler Apps Ziti Edge Tunnel
1

I have installed the controller and the router in machines with Rocky Linux 9.5, i created all the identities through zac. All the identities were enrolled properly except the one with Centos 7.

When i try to add i got the following errors below:

[root@xxxx bruno.bandeira]# ziti-edge-tunnel add --jwt /home/bruno.bandeira/xxxx.jwt --identity xxxx

received response <{"Success":false,"Error":"enrollment failed","Code":500}

In the syslog i saw this:

Jul 01 16:35:40 xxxx ziti-edge-tunnel[14273]: (14273)[ 259766.790] ERROR ziti-sdk:model_support.c:67 parse_tokens() jsmn_parse() failed: -2
Jul 01 16:35:40 xxxx ziti-edge-tunnel[14273]: (14273)[ 259766.790] ERROR ziti-sdk:ziti_enroll.c:123 ziti_enroll() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:108 - load_jwt_content(ecfg, &ecfg->zejh, &ecfg->zej) => -4 (JWT has invalid format)
Jul 01 16:35:40 xxxx ziti-edge-tunnel[14273]: (14273)[ 259766.790] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:320 tunnel_enroll_cb() enrollment failed: enroll failed(-4)
Jul 01 16:35:40 xxxx ziti-edge-tunnel[14273]: (14273)[ 259766.798] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:648 on_cmd() received from client - EOF. Closing connection.
Jul 01 16:35:40 xxxx ziti-edge-tunnel[14273]: (14273)[ 259766.798] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:660 on_cmd() IPC client connection closed, count: 0

[root@xxxx bruno.bandeira]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

Let me know what is missing.

2

Hi @bbandeira, welcome to the community and to OpenZiti!

That's a strange one to me. That seems like the proper way to use the add command. The key error to me is JWT has invalid format. Have you looked at that JWT to verify it's correct? You could use https://jwt.io and paste it into there to see if it's valid. It seems like it's not. I'd guess a bad download?

Can you confirm that jwt is correct?

3

make sure you didn't create a router. i believe i saw that error before when i mistakenly used router jwt instead of identity jwt

4

I already did this.

Looking at what came out from decode:

{
"alg": "RS256",
"kid": "xxxxxxxxxxxxxx",
"typ": "JWT"
}

{
"iss": "https://xxxxxxxxxxxxxx:1280",
"sub": "3pC3vRU9X",
"aud": [
""
],
"exp": 1751408462,
"jti": "xxxxxxxxxxxxxx",
"em": "ott",
"ctrls": [
"tls:xxxxxxxxxxxxxx:1280"
]
}

The only thing that i found was that:

"Unable to automatically download public key from JWT. Please enter public key manually to verify the JWT signature."

But i saw the same for the others identities. I already deleted the identity and recreate it. Not sure the name of the identity could be a possible problem, i am using hypen.

Ex. example-org

5

I don't think using a hyphen will matter. You could certainly try it and see. It works fine for me:

cdaws:ubuntu@ip-172-31-47-200:~$ ziti edge create identity 'b-a' -o 'b-a.jwt'
New identity b-a created with id: gf1v0-VvS
Enrollment expires at 2025-07-02T15:32:52.305Z
cdaws:ubuntu@ip-172-31-47-200:~$ sudo ziti-edge-tunnel add -j './b-a.jwt'  -i 'b-a'
{
  "Success":true,
  "Code":0
}

How are you starting the tunneler? For this test I ran it manually using:

sudo ziti-edge-tunnel run -I /tmp/zetids

Are you using the package installed or some other way?

6

Hi Clint,

I am using installed package from the openziti repository.

[root@example-org ~]# cat /etc/yum.repos.d/openziti.repo
[OpenZiti]
name=OpenZiti
baseurl=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat$releasever/$basearch/repodata/repomd.xml.key
repo_gpgcheck=1

I am starting using the ziti-edge-tunnel.service.

Running a ps -ef | grep ziti, this is the command line:

/opt/openziti/bin/ziti-edge-tunnel run --verbose=2 --dns-ip-range=100.64.0.1/10 --identity-dir=/opt/openziti/etc/identities

Ziti version installed:

ziti-edge-tunnel-1.0.3-1.x86_64

Best Regards,

Bruno Bandeira

7

Adding more information:

Operating System:
[root@xxx-xxx ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

8

Oh I just realized after talking to someone that we don't actually support Centos 7 anymore as it's just too old. So if all the other environments worked but not Centos 7, that's probably not a surprise. Sorry to be the bearer of bad news. Cheers

9

Wouldn't it be good to disable the redhat7 repo? And to update the documenation (Tunneling on RedHat and Fedora | OpenZiti)?

10

It's not always clear when "odd" things like this creep in what/why the problem is happening. It'd probably be a good idea to remove centos 7 from that page, I'd agree there but I'm not sure if removing the repo is (or is not) a good idea. I'll ask around with the team and see waht they think. Thanks for pointing that page out.