Hi all,
UPDATED Aug 22 2023
Just wanted to drop a quick note about a bug in the quickstart. If you have generated your network from the quickstart recently. You want to verify the setting in the web
section of your controller to ensure newer tunnelers don’t have connectivity issues.
These commands should work with most/many/all the previous versions of the quicsktart but I can’t really test them all. If you run into issues, comment back on this post.
Update Your Controller Config
-
source the .env file (or figure out how to set the variables accordingly):
source $HOME/.ziti/quickstart/$(hostname -s)/$(hostname -s).env
-
Run this command. It will tell you whether or not you need to update your controller’s config file:
echo "" if [[ 0 -lt $(grep -c "${ZITI_PKI}/${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}/certs/${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}.cert" $ZITI_HOME/$ZITI_NETWORK.yaml) ]] then echo "You need to update/edit this file" else echo "Your quickstart is up-to-date/accurate" fi
-
If you see:
Your quickstart is up-to-date/accurate
, you’re done. -
If you see:
You need to update/edit this file
, run the commands listed below to repair your quickstart:sed -i 's#'"${ZITI_PKI}/${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}/certs/${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}.cert"'#'"${ZITI_PKI}/${ZITI_PKI_CTRL_EDGE_ROOTCA_NAME}/certs/${ZITI_PKI_CTRL_EDGE_ROOTCA_NAME}.cert"'#g' $ZITI_HOME/$ZITI_NETWORK.yaml echo "adding controller root CA to ca bundle: $ZITI_PKI/$ZITI_PKI_CTRL_ROOTCA_NAME/certs/$ZITI_PKI_CTRL_ROOTCA_NAME.cert" cat "$ZITI_PKI/$ZITI_PKI_CTRL_ROOTCA_NAME/certs/$ZITI_PKI_CTRL_ROOTCA_NAME.cert" > "${ZITI_PKI_CTRL_CA}" echo "adding signing root CA to ca bundle: $ZITI_PKI/$ZITI_PKI_SIGNER_ROOTCA_NAME/certs/$ZITI_PKI_SIGNER_ROOTCA_NAME.cert" cat "$ZITI_PKI/$ZITI_PKI_SIGNER_ROOTCA_NAME/certs/$ZITI_PKI_SIGNER_ROOTCA_NAME.cert" >>"${ZITI_PKI_CTRL_CA}" >> "${ZITI_PKI_CTRL_CA}" echo "adding secondary signing intermediate into ca bundle: $ZITI_PKI/$ZITI_PKI_SIGNER_ROOTCA_NAME/certs/${ZITI_PKI_SIGNER_INTERMEDIATE_NAME}_spurious_intermediate.cert" cat "$ZITI_PKI/$ZITI_PKI_SIGNER_ROOTCA_NAME/certs/${ZITI_PKI_SIGNER_INTERMEDIATE_NAME}_spurious_intermediate.cert" >> "${ZITI_PKI_CTRL_CA}"
Restart the Controller
If you’re using systemd
, restart the controller: sudo systemctl restart ziti-controller
Verify the Controller Config
You can now use openssl to verify your controller is correctly updated. Run the following two commands. The first one will pull the cabundle openssl command:
curl -sk https://${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT}/.well-known/est/cacerts \
| openssl base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs -out /tmp/well.known.cacerts.pem
openssl s_client \
-connect ${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT} \
-CAfile /tmp/well.known.cacerts.pem < /dev/null 2>&1 \
| grep "Verify return code"
If you see anything other than: Verify return code: 0 (ok)
you still have a problem. Revisit these steps.