Quickstart and trying to add another router

Hi, just learning openziti and I have deployed to VPS using quickstart and it works. I have Edge Desktop on my laptop and Android phone. Edge-tunneler on linux test server and I can access to it resources via openziti.

So far everything has worked greatly :grinning:

Now I try to install router to my LAN and I have followed this guide.

The problem is that my router enroll fail with error

{"file":"github.com/openziti/ziti/router/enroll/enroll.go:109","func":"github.com/openziti/ziti/router/enroll.(*RestEnroller).Enroll","level":"fatal","msg":"no valid root CAs were found","time":"2024-11-20T14:16:22.640Z"}

So, where I get this CA and where I need to save it on router?

The public CA cert should be downloaded as part of the enrollment process. Can you post the whole output from the enroll command, including the command itself?

Here is whole process what I have done

root@ziti-router:~# curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti-router
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Hit:4 https://packages.openziti.org/zitipax-openziti-deb-stable debian InRelease
Fetched 48.0 kB in 1s (51.0 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  openziti
The following NEW packages will be installed:
  openziti openziti-router
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/50.1 MB of archives.
After this operation, 132 MB of additional disk space will be used.
Selecting previously unselected package openziti.
(Reading database ... 33729 files and directories currently installed.)
Preparing to unpack .../openziti_1.1.15_amd64.deb ...
Unpacking openziti (1.1.15) ...
Selecting previously unselected package openziti-router.
Preparing to unpack .../openziti-router_1.1.15_amd64.deb ...
Unpacking openziti-router (1.1.15) ...
Setting up openziti (1.1.15) ...
Setting up openziti-router (1.1.15) ...
 completed clean install of openziti-router
Package: openziti-router
Version: 1.1.15
Section:
Priority: optional
Architecture: amd64
Maintainer: OpenZiti Maintainers <developers@openziti.org>
Installed-Size: 20
Depends: openziti, systemd (>= 232)
Homepage: https://openziti.io
Description: Provides a system service for running an OpenZiti Router
Description-md5: a3d49d0a1673ec2256b0ac5dedd355d0
Filename: pool/openziti-router/amd64/openziti-router_1.1.15_amd64.deb
SHA1: 5a4cddde1daf3b5adcc3ad7a4c3c3ddb9163cf79
SHA256: 856a4f8abec6e69a4ebc65b2e03a4b478688d9bbfa7f03f56403483c37091650
Size: 8232

root@ziti-router:~# /opt/openziti/etc/router/bootstrap.bash
Enter address of the controller [required]: ziti1.xxxxx.org
Enter the controller port [1280]: 8441
Enter the DNS name or IP address of this router [localhost]: 172.16.0.92
Enter the router port [3022]:
Router enrollment token as string or path [required]: /root/test-lan.jwt
{"file":"github.com/openziti/ziti/ziti/cmd/create/create_config.go:303","func":"github.com/openziti/ziti/ziti/cmd/create.(*ConfigTemplateValues).PopulateConfigValues","level":"warning","msg":"DNS provided (172.16.0.92) appears to be an IP, ignoring for DNS entry","time":"2024-11-20T15:45:51.651Z"}
ERROR: something went wrong during bootstrapping; set DEBUG=1
WARN: set VERBOSE=1 or DEBUG=1 for more output
WARN: see output in '/tmp/tmp.IBq7Nf2l8s'

root@ziti-router:~# cat /tmp/tmp.IBq7Nf2l8s
{"file":"github.com/openziti/ziti/router/enroll/enroll.go:109","func":"github.com/openziti/ziti/router/enroll.(*RestEnroller).Enroll","level":"fatal","msg":"no valid root CAs were found","time":"2024-11-20T15:45:51.924Z"}
DEBUG: using config file: /var/lib/private/ziti-router/config.yml
DEBUG: preparing working directory: /var/lib/private/ziti-router
DEBUG: using config: /var/lib/private/ziti-router/config.yml
DEBUG: controller address is 'ziti1.xxxxx.org:8441'
DEBUG: router address is '172.16.0.92:3022'
root@ziti-router:~#

Aw, so close!

Let's troubleshoot this error. :smiling_face:

My guess is the controller isn't reachable by your router at that address. Is this the first device from another network connecting to ziti1.xxxxx.org:8441? You might need to double-check the domain name ziti1.xxxxx.org resovles to the expected public IP address, and that the host serving the Ziti controller's port 8441/tcp has a firewall exception for it, and the other ports on which it is listening, if any.

Troubleshooting command will emit a list of root certs' subject/issuer distinguished names when it is working correctly. You can edit this command into a single line if your terminal doesn't let you paste multi-line by removing the \ characters and newlines.

curl -skSf https://ziti1.xxxxx.org:8441/.well-known/est/cacerts \
| base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs \
| openssl storeutl -certs -noout -text /dev/stdin \
| grep -E '(Subject|Issuer):'

If that doesn't work you might be able to diagnose the problem with cURL's verbose flag. This one shows the IP the domain name resolved to, if any, and the TLS and HTTP transcripts so you can see precisely where it's breaking down, and will print a JSON response at the end when it's working.

curl -vkf https://ziti1.xxxxx.org:8441/edge/client/v1/version

@qrkourier thanks. Access to that controller port is ok, I have laptop in same LAN it works.

So, the enrollment process should automatic fetch those certificates? And if it doesn't can those to be saved to somewhere before enrollment?

Here is output of those commands

timo@ziti-router:~$ curl -skSf https://ziti1.xxxxx.org:8441/.well-known/est/cacerts \
| base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs \
| openssl storeutl -certs -noout -text /dev/stdin \
| grep -E '(Subject|Issuer):'
        Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ziti1.xxxxx.org-root-ca Root CA
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ziti1.xxxxx.org-root-ca Root CA
        Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-edge-controller-root-ca Root CA
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-edge-controller-root-ca Root CA
        Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-root-ca Root CA
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-root-ca Root CA
        Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-intermediate_grandparent_intermediate
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-intermediate
        Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-root-ca Root CA
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=openziti-signing-intermediate_grandparent_intermediate


timo@ziti-router:~$ curl -vkf https://ziti1.xxxxx.org:8441/edge/client/v1/version
*   Trying xxx.xx.34.88:8441...
* Connected to ziti1.xxxxx.org (xxx.xx.34.88) port 8441 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; L=Charlotte; O=NetFoundry; OU=ADV-DEV; CN=openziti server certificate
*  start date: Nov 17 12:13:10 2024 GMT
*  expire date: Nov 17 12:14:04 2025 GMT
*  issuer: C=US; L=Charlotte; O=NetFoundry; OU=ADV-DEV; CN=openziti-edge-controller-intermediate
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* using HTTP/1.1
> GET /edge/client/v1/version HTTP/1.1
> Host: ziti1.xxxxx.org:8441
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Content-Length: 502
< Content-Type: application/json
< Server: ziti-controller/v1.1.15
< Ziti-Instance-Id: cm3lksa660000nypqisz25ifx
< Date: Thu, 21 Nov 2024 07:11:34 GMT
<
{"data":{"apiVersions":{"edge":{"v1":{"apiBaseUrls":["https://ziti1.xxxxx.org:8441/edge/client/v1"],"path":"/edge/client/v1"}},"edge-client":{"v1":{"apiBaseUrls":["https://ziti1.xxxxx.org:8441/edge/client/v1"],"path":"/edge/client/v1"}},"edge-management":{"v1":{"apiBaseUrls":["https://ziti1.xxxxx.org:8441/edge/management/v1"],"path":"/edge/management/v1"}}},"buildDate":"2024-10-02T12:59:41Z","capabilities":[],"revision":"0eec47ce3c80","runtimeVersion":"go1.23.1","version":"v1.1.15"},"meta":{}}
* Connection #0 to host ziti1.xxxxx.org left intact

hmm :thinking: I have minimal Debian 12 install so could it missing some tools/packages to fetch those certificates?

I'll try it on Debian 12 Bookworm with the same instructions you followed:

  • host it anywhere ziti network quickstart for the controller
  • linux router deployment guide for the router

The undiagnosed problem is router enrollment fails with error:

{
  "file": "github.com/openziti/ziti/router/enroll/enroll.go:109",
  "func": "github.com/openziti/ziti/router/enroll.(*RestEnroller).Enroll",
  "level": "fatal",
  "msg": "no valid root CAs were found",
  "time": "2024-11-20T15:45:51.924Z"
}

From the same router's network perspective, the controller is reachable and there's no problem fetching the root CA bundle.

@qrkourier just quickly tested this with Rocky Linux 9 and still got same error.

So I started to check quickstart quide again and it was my fault :man_facepalming:

I was followed quickstart but had a made one change to controller yaml file. Then I had a server hostname set to "openziti", so it copied that to yaml file and I changed manually following addresses from "openziti" to "ziti1.xxxxx.org".

....
ctrl:
  options:
    advertiseAddress: tls:ziti1.xxxxx.org:8440
....
edge:
  api:
    address: ziti1.xxxxx.org:8441
...
web:
    bindPoints:
        address: ziti1.xxxxx.org:8441

So result was Edges worked but Routes not :grinning:

Anyway big thanks for help.

When testing I noticed following

  • In Router Deployment there is Uninstall section and apt command sudo apt-get purge openziti-router seems to remove whole /opt directory and equivalent dnf command sudo dnf remove openziti-router doesn't remove.
  • In quickstart quide in section "Adding Environment Variables Back to the Shell" there is command source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env which fails if you have set server hostname with hostnamectl set-hostname ziti1.xxxxx.org
1 Like