@qrkourier thanks. Access to that controller port is ok, I have laptop in same LAN it works.
So, the enrollment process should automatic fetch those certificates? And if it doesn't can those to be saved to somewhere before enrollment?
Here is output of those commands
timo@ziti-router:~$ curl -skSf https://ziti1.xxxxx.org:8441/.well-known/est/cacerts \
| base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs \
| openssl storeutl -certs -noout -text /dev/stdin \
| grep -E '(Subject|Issuer):'
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ziti1.xxxxx.org-root-ca Root CA
Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ziti1.xxxxx.org-root-ca Root CA
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-edge-controller-root-ca Root CA
Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-edge-controller-root-ca Root CA
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-root-ca Root CA
Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-root-ca Root CA
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-intermediate_grandparent_intermediate
Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-intermediate
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-root-ca Root CA
Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-intermediate_grandparent_intermediate
timo@ziti-router:~$ curl -vkf https://ziti1.xxxxx.org:8441/edge/client/v1/version
* Trying xxx.xx.34.88:8441...
* Connected to ziti1.xxxxx.org (xxx.xx.34.88) port 8441 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=US; L=Charlotte; O=NetFoundry; OU=ADV-DEV; CN=openziti server certificate
* start date: Nov 17 12:13:10 2024 GMT
* expire date: Nov 17 12:14:04 2025 GMT
* issuer: C=US; L=Charlotte; O=NetFoundry; OU=ADV-DEV; CN=openziti-edge-controller-intermediate
* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* using HTTP/1.1
> GET /edge/client/v1/version HTTP/1.1
> Host: ziti1.xxxxx.org:8441
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Content-Length: 502
< Content-Type: application/json
< Server: ziti-controller/v1.1.15
< Ziti-Instance-Id: cm3lksa660000nypqisz25ifx
< Date: Thu, 21 Nov 2024 07:11:34 GMT
<
{"data":{"apiVersions":{"edge":{"v1":{"apiBaseUrls":["https://ziti1.xxxxx.org:8441/edge/client/v1"],"path":"/edge/client/v1"}},"edge-client":{"v1":{"apiBaseUrls":["https://ziti1.xxxxx.org:8441/edge/client/v1"],"path":"/edge/client/v1"}},"edge-management":{"v1":{"apiBaseUrls":["https://ziti1.xxxxx.org:8441/edge/management/v1"],"path":"/edge/management/v1"}}},"buildDate":"2024-10-02T12:59:41Z","capabilities":[],"revision":"0eec47ce3c80","runtimeVersion":"go1.23.1","version":"v1.1.15"},"meta":{}}
* Connection #0 to host ziti1.xxxxx.org left intact