I finally got this up and running! For anyone looking to upgrade from an older OpenZiti quickstart instance to a newer one, there are a few extra steps you’ll need to follow. Some of these might seem a bit counterintuitive, so I’ve outlined them below.
Key Points to Keep in Mind:
-
The
cas.pem(CA bundle) file is exactly what it says: a bundle of CA certificates, not a chain. The order of CAs in this file doesn’t matter. -
The
cas.pemfile is used to assign the appropriate CAs to newly created identities. Each identity manages its own CA store—system OS CA stores are not used. -
In older quickstart versions,
cas.pemalso included intermediate certificates. In newer versions, it only contains the Root CA certificates. This means that any non-root certificates (those without "root" in their names) should be removed. Additionally, make sure that all Root CA certificates are included in the file. -
After updating the
cas.pemfile to only contain the Root CA certificates, you may notice that communication between the Router and the Controller stops working. To fix this, you need to modify the client router certificate to include a full chain (excluding the Root CA). You can reference this file in the router YAML as shown below:identity: cert: "/home/ziti/.ziti/quickstart/zt/pki/routers/zt-edge-router/client.cert" -
Similarly, communication between Identities and the Router will also break after updating the cas.pem file. To resolve this, edit the server router certificate to include a full chain (again, excluding the Root CA). This file is also referenced in the router YAML as:
identity: server_cert: "/home/ziti/.ziti/quickstart/zt/pki/routers/zt-edge-router/server.cert"
1. Modify cas.pem to only contain (all) Root CA certs.
Remember backing up the quickstart directory!!
If you used the default quickstart, this should do the trick to create the new cas.pem:
echo "" > /your-quickstart-path/pki/cas.pem && find /your-quickstart-path/pki/ -type f -name "*root-ca.cert" -exec cat {} >> /your-quickstart-path/pki/cas.pem \;
2. Modify client router certificate to include a full chain
Again, a little tricky to do automatically. But done in 2 minutes:
openssl x509 -in pki/routers/zt-edge-router/client.cert -text | grep Issuer, then do the same for the issuer cert etc.
3. Modify server router certificate to include a full chain
This might be a little tricky to do automatically.
Instead of only the leaf certificate it should contain the full path up until before the root ca.
You can check the issuer subject and manually add the CA certs below. Do that until the issuer is a root ca:
openssl x509 -in pki/routers/zt-edge-router/server.cert -text | grep Issuer
4. Restart ziti-controller and ziti-router(s)
Enjoy.