Dear all,
Im having trouble accessing a service from one specific identity (Windows). The service works well from other identities (not Windows), though. Also, this identity can use other services. The configurations are pretty much the same and I cant find the relevant difference.
These are the logs from the tunneler on the respective machine offering the service:
Jun 02 15:18:05 BLUB ziti-edge-tunnel[941]: (941)[ 30388.416] ERROR ziti-sdk:channel.c:489 dispatch_message() ch[0] received message without conn_id or for unknown connection ct[ED71] conn_id[27]
Jun 02 15:18:06 BLUB ziti-edge-tunnel[941]: (941)[ 30388.852] ERROR ziti-sdk:connect.c:887 conn_inbound_data_msg() /github/workspace/build/_deps/ziti-sdk-c-src/library/connect.c:878 - crypto_secretstream_xchacha20poly1305_pull(&conn->crypt_i, plain_text, &plain_len, &tag, msg->body, msg->header.body_len, NULL, 0) => -1 (Unknown error -1)
Jun 02 15:18:06 BLUB ziti-edge-tunnel[941]: (941)[ 30388.852] WARN ziti-sdk:conn_bridge.c:300 on_ziti_data() br[0.28] closing bridge due to error: -22(crypto failure)
I dont have any clue on how to solve this. Any help is appreciated.
Can you provide any additional details about what the overall picture looks like? I’m specifically wondering about the identity that is binding the service. Is it a router or is it a linux ziti-edge-tunnel or a mac, etc. I’m also wondering if there could possibly be more than one identity that is hosting/binding the service? Also, the specific versions.
The errors you’ve highlighted make it appear to me that end to end encryption is failing in some way. We know there’s been a problem that I think we just recently fixed around services marked as “no end to end encryption” (which should not be the default, you should have to go out of your way to configure a service this way).
Can you maybe explain the overall setup? If you have steps to reproduce that’d be a huge help.
Thanks!
Hey @TheLumberjack ,
in general I went through the Zero Trust Host Access Tutorial again and added another server. Let me try to give details like this:
I added two interceptv1 configs to intercept tcp traffic for ports 80 and 443. Then added two hostv1 configs to offload the traffic to localhost on the specific port.
The tunneler is running on the same machine as the nginx server I want to use.
Then I added two services, again for p80 and p443 and added the relevant configurations. I also assigned a role to both services.
Last I added the necessary policies:
@revprox... is the identity of the tunneler on the nginx server and
#nextcloud.svc-role is the role assigned to both services. Both identites Im trying to access the service have the r-kusys-nextcloud role.
I cant really find anything suspicious, because thats exactly what I did for another machine/service.
Thanks in advance!
Interesting... If you could show the exact steps to reproduce that would be most helpful. You could record your actions and send a move to clint at openziti.org if you want or we could figure out a way to demonstrate the issue. It's most helpful to know exactly what you did and it's easy to make a small mistake here or there when using a UI. If you're up for it maybe we can try a new tactic?
So you have two host.v1 configs and associated the configs to the service? I wonder if that's somehow what's going on. It feels like maybe...
Could we try a new service with only two configs? This time we'll just forward whatever port we intercept to the destination (it's a bit simpler).
The host.v1 should look like this (notice the two port ranges that are allowed to be forwarded):
Then make an intercept.v1 that intercepts 80 and 443 -- only one config should look something like:
OK I just did that and it works on Android and Windows now. 
One further info: Before setting up the new service I was able to verify that the http service was workign fine. Only the https side was affected.
Anyways, thank you so much for your help! I wasnt aware one could add multiple ports in the host config. The port input field made me think I have to be specific...
1 Like
