Quickstart errors

Support
1

Hello,
I’m new to openziti and was following these guides to spin up a controller to test.

Setting Up Oracle Cloud To Host OpenZiti

Host OpenZiti Anywhere | OpenZiti

In the guide it mentions:
But WAIT, one thing to note is that Oracle does not provide an external DNS, so when the guide asks you to set that value, use the public IP instead.

Which I did. When I run the quickstart I’m getting a bunch of errors such as:
RESTY 2023/08/10 01:40:32 ERROR Get “https://111.222.333.444:8441/edge/client/v1/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 111.222.333.444, Attempt 1

Note I did change the public IP to something generic.

2

Welcome to the OpenZiti community!

I suspect this env var wasn’t set to your public IP before running the expressInstall function.

export EXTERNAL_DNS="111.222.333.444"

You’ll need to reset the quick start for the var to take effect.

3

I did run that command before running the rest in the guide. And then ran the script

I will reset and try again

4

OK, there may be a problem with the latest version of the quickstart. I’m going to test it too. Let me know if you figure it out?

5

Thanks,

I’m actually playing around with this while on vacation with the family. ( I need something to do for the hours I wake up earlier than everyone else) so I’m not sure I will get around to re-testing until later today or maybe tomorrow morning.

1 Like
6

I just reset and re-ran the quickstart with the same errors. Is there any additional information that would be helpful to troubleshoot?

7

I’m seeing the same errors during router enrollment and will try to figure out what the issue is. Here’s the tail end of the output from expressInstall.

******** Setting Up Edge Router ********
Untrusted certificate authority retrieved from server
Verified that server supplied certificates are trusted by server
Server supplied 5 certificates
Server certificate chain written to /home/ubuntu/.config/ziti/certs/54.215.85.100
RESTY 2023/08/10 17:54:21 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 1
RESTY 2023/08/10 17:54:21 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 2
RESTY 2023/08/10 17:54:21 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 3
RESTY 2023/08/10 17:54:21 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 4
RESTY 2023/08/10 17:54:22 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 5
RESTY 2023/08/10 17:54:23 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 1
RESTY 2023/08/10 17:54:23 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 2
RESTY 2023/08/10 17:54:23 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 3
RESTY 2023/08/10 17:54:24 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 4
RESTY 2023/08/10 17:54:24 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 5
RESTY 2023/08/10 17:54:25 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 1
RESTY 2023/08/10 17:54:25 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 2
RESTY 2023/08/10 17:54:26 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 3
RESTY 2023/08/10 17:54:26 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 4
RESTY 2023/08/10 17:54:26 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 5
error: unable to authenticate to https://54.215.85.100:8441. Error: Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100

----------  Creating an edge router policy allowing all identities to connect to routers with a #public attribute
error: no identity 'default' found in cli config /home/ubuntu/.config/ziti/ziti-cli.json
error: no identity 'default' found in cli config /home/ubuntu/.config/ziti/ziti-cli.json
----------  Creating a service edge router policy allowing all services to use #public edge routers
error: no identity 'default' found in cli config /home/ubuntu/.config/ziti/ziti-cli.json
error: no identity 'default' found in cli config /home/ubuntu/.config/ziti/ziti-cli.json

USING ZITI_ROUTER_NAME: ip-172-31-30-14-edge-router
RESTY 2023/08/10 17:54:28 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 1
RESTY 2023/08/10 17:54:28 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 2
RESTY 2023/08/10 17:54:28 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 3
RESTY 2023/08/10 17:54:29 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 4
RESTY 2023/08/10 17:54:29 ERROR Get "https://54.215.85.100:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 5
RESTY 2023/08/10 17:54:30 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 1
RESTY 2023/08/10 17:54:31 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 2
RESTY 2023/08/10 17:54:31 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 3
RESTY 2023/08/10 17:54:31 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 4
RESTY 2023/08/10 17:54:32 ERROR Get "https://54.215.85.100:8441/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 5
RESTY 2023/08/10 17:54:33 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 1
RESTY 2023/08/10 17:54:33 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 2
RESTY 2023/08/10 17:54:33 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 3
RESTY 2023/08/10 17:54:33 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 4
RESTY 2023/08/10 17:54:34 ERROR Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100, Attempt 5
error: unable to authenticate to https://54.215.85.100:8441. Error: Post "https://54.215.85.100:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 54.215.85.100
error: no identity 'default' found in cli config /home/ubuntu/.config/ziti/ziti-cli.json
error: no identity 'default' found in cli config /home/ubuntu/.config/ziti/ziti-cli.json
public router configuration file written to: /home/ubuntu/.ziti/quickstart/ip-172-31-30-14/ip-172-31-30-14-edge-router.yaml
  --- There was an error during router enrollment, check the logs at /home/ubuntu/.ziti/quickstart/ip-172-31-30-14/ip-172-31-30-14-edge-router.enrollment.log ---

Controller stopped.
Edge Router enrolled.

Congratulations. Express setup complete!
Your ZITI_HOME is located here: /home/ubuntu/.ziti/quickstart/ip-172-31-30-14
Your admin password is: ***redacted***

Start your Ziti Controller by running the function: startController
Start your Ziti Edge Router by running : startRouter
8

Hi @GoldenPSP, welcome to the community.

Currently, there is a bug when using an IP in the EXTERNAL_DNS field. I have a PR up with the fix, if you don’t want to wait, you can swap out the file that is sourced in the quickstart with this one and it should take care of it.

https://raw.githubusercontent.com/openziti/ziti/f55c1b41d996766bf1079da2da07acb16a822256/quickstart/docker/image/ziti-cli-functions.sh

In the meantime I’ll try to get the PR merged.

9

Thanks. No rush. Ive been playing around wuth getting a controller spun up during my downtime on vacation.

10

Hey @gberl002
I tried running quickstart with your listed file. It seemed to get further, however I still ended up with errors.

Sorry for the messy paste. I didn’t see a way to attach a file

ZITI_CTRL_EDGE_ADVERTISED_ADDRESS seems to be an IP address, it will not be adde d to the SANs DNS list.
Creating server cert from ca: holoskizitipersonal-intermediate for holoskizitipe rsonal,localhost
key exists
Creating client cert from ca: holoskizitipersonal-intermediate for holoskizitipe rsonal,localhost
key exists

ZITI_CTRL_EDGE_ADVERTISED_ADDRESS seems to be an IP address, it will not be adde d to the SANs DNS list.
Creating server cert from ca: holoskizitipersonal-edge-controller-intermediate f or holoskizitipersonal,localhost
key exists
Creating client cert from ca: holoskizitipersonal-edge-controller-intermediate f or holoskizitipersonal,localhost
key exists

PKI generated successfully

******** Setting Up Controller ********
wrote CA file to: /home/ubuntu/.ziti/quickstart/holoskizitipersonal/pki/cas.pem
This will overwrite the existing file, continue? (y/N) n
— Cancelling overwrite —
ZITI_HOME overridden: /home/ubuntu/.ziti/quickstart/holoskizitipersonal
holoskizitipersonal initialized. See /home/ubuntu/.ziti/quickstart/holoskizitipe rsonal/holoskizitipersonal-init.log for details
[1] 24060
ziti controller started as process id: 24060. log located at: /home/ubuntu/.ziti /quickstart/holoskizitipersonal/holoskizitipersonal.log
waiting for the controller to come online to allow the edge router to enroll
waiting for https://129.80.114.234:8441

******** Setting Up Edge Router ********
RESTY 2023/08/11 22:08:52 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 1
RESTY 2023/08/11 22:08:52 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 2
RESTY 2023/08/11 22:08:53 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 3
RESTY 2023/08/11 22:08:53 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 4
RESTY 2023/08/11 22:08:54 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 5
RESTY 2023/08/11 22:08:55 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 1
RESTY 2023/08/11 22:08:55 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 2
RESTY 2023/08/11 22:08:55 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 3
RESTY 2023/08/11 22:08:56 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 4
RESTY 2023/08/11 22:08:56 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 5
RESTY 2023/08/11 22:08:57 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 1
RESTY 2023/08/11 22:08:57 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 2
RESTY 2023/08/11 22:08:58 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 3
RESTY 2023/08/11 22:08:58 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 4
RESTY 2023/08/11 22:08:59 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 5
error: unable to authenticate to https://129.80.114.234:8441. Error: Post “https ://129.80.114.234:8441/authenticate?method=password”: tls: failed to verify cert ificate: x509: certificate is valid for 127.0.0.1, not 129.80.114.234

---------- Creating an edge router policy allowing all identities to connect to routers with a #public attribute
error: no identity ‘default’ found in cli config /home/ubuntu/.config/ziti/ziti- cli.json
error: no identity ‘default’ found in cli config /home/ubuntu/.config/ziti/ziti- cli.json
---------- Creating a service edge router policy allowing all services to use # public edge routers
error: no identity ‘default’ found in cli config /home/ubuntu/.config/ziti/ziti- cli.json
error: no identity ‘default’ found in cli config /home/ubuntu/.config/ziti/ziti- cli.json

USING ZITI_ROUTER_NAME: holoskizitipersonal-edge-router
RESTY 2023/08/11 22:09:01 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 1
RESTY 2023/08/11 22:09:01 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 2
RESTY 2023/08/11 22:09:01 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 3
RESTY 2023/08/11 22:09:02 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 4
RESTY 2023/08/11 22:09:02 ERROR Get “https://129.80.114.234:8441/edge/client/v1/ version”: tls: failed to verify certificate: x509: certificate is valid for 127. 0.0.1, not 129.80.114.234, Attempt 5
RESTY 2023/08/11 22:09:04 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 1
RESTY 2023/08/11 22:09:04 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 2
RESTY 2023/08/11 22:09:04 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 3
RESTY 2023/08/11 22:09:04 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 4
RESTY 2023/08/11 22:09:05 ERROR Get “https://129.80.114.234:8441/version”: tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 129. 80.114.234, Attempt 5
RESTY 2023/08/11 22:09:07 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 1
RESTY 2023/08/11 22:09:07 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 2
RESTY 2023/08/11 22:09:07 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 3
RESTY 2023/08/11 22:09:07 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 4
RESTY 2023/08/11 22:09:08 ERROR Post “https://129.80.114.234:8441/authenticate?m ethod=password”: tls: failed to verify certificate: x509: certificate is valid f or 127.0.0.1, not 129.80.114.234, Attempt 5
error: unable to authenticate to https://129.80.114.234:8441. Error: Post “https ://129.80.114.234:8441/authenticate?method=password”: tls: failed to verify cert ificate: x509: certificate is valid for 127.0.0.1, not 129.80.114.234
error: no identity ‘default’ found in cli config /home/ubuntu/.config/ziti/ziti- cli.json
error: no identity ‘default’ found in cli config /home/ubuntu/.config/ziti/ziti- cli.json
This will overwrite the existing file, continue? (y/N) n
— Cancelling overwrite —
— There was an error during router enrollment, check the logs at /home/ubunt u/.ziti/quickstart/holoskizitipersonal/holoskizitipersonal-edge-router.enrollmen t.log —

11

Hey @GoldenPSP sorry, I missed your reply. It looks like your external IP isn’t getting entered into the PKI SANs. If you don’t mind, can you try running the “host ziti anywhere” quickstart using the doc? I merged the fix so the doc should work as-is at this point.

12

Thanks. Unfortunately as I’ve gotten deeper into OpenZiti, I don’t think it really fits my use case at this time so I put my testing on hold. I will definitely follow the project however.

13

Thanks for the feedback. Why doesnt it fit your use case out of interest?

14

Hey, I have these exact problems when using the expressInstall script and it doesn't matter if I'm using my domain "ziti.redacted.com" or my ip adress "1.2.3.4"

I'm setting this up on aws lightsail, where there is a public (the "1.2.3.4") and a private ip ("172.26.4.246"), maybe it has something to do with this.
"curl -s eth0.me" gives me the public ip though, so i thought i should be fine.

"ip-172-26-4-246" is the name of my virtual machine.

EXTERNAL_DNS:ziti.redacted.com 
EXTERNAL_IP:1.2.3.4 
ZITI_CTRL_EDGE_IP_OVERRIDE:1.2.3.4 
ZITI_ROUTER_IP_OVERRIDE:1.2.3.4 
ZITI_CTRL_EDGE_ADVERTISED_ADDRES: ZITI_ROUTER_ADVERTISED_ADDRESS:ziti.redacted.com 
ZITI_CTRL_ADVERTISED_PORT:8440 
ZITI_CTRL_EDGE_ADVERTISED_PORT:8441 
ZITI_ROUTER_PORT:8442

******** Setting Up Edge Router ********
RESTY 2024/02/07 08:19:11 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 1
RESTY 2024/02/07 08:19:11 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 2
RESTY 2024/02/07 08:19:11 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 3
RESTY 2024/02/07 08:19:12 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 4
RESTY 2024/02/07 08:19:12 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 5
RESTY 2024/02/07 08:19:13 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 1
RESTY 2024/02/07 08:19:13 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 2
RESTY 2024/02/07 08:19:14 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 3
RESTY 2024/02/07 08:19:14 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 4
RESTY 2024/02/07 08:19:15 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 5
RESTY 2024/02/07 08:19:16 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 1
RESTY 2024/02/07 08:19:16 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 2
RESTY 2024/02/07 08:19:16 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 3
RESTY 2024/02/07 08:19:16 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 4
RESTY 2024/02/07 08:19:17 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 5
error: unable to authenticate to https://ziti.redacted.com:8441. Error: Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com
[1]+  Exit 2                  "${ZITI_BIN_DIR-}/ziti" controller run "${ZITI_HOME}/${ZITI_CTRL_NAME}.yaml" &> "${log_file}" 2>&1

----------  Creating an edge router policy allowing all identities to connect to routers with a #public attribute
RESTY 2024/02/07 08:19:18 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+%22allEdgeRouters%22+or+name%3D%22allEdgeRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 1
RESTY 2024/02/07 08:19:18 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+%22allEdgeRouters%22+or+name%3D%22allEdgeRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 2
RESTY 2024/02/07 08:19:18 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+%22allEdgeRouters%22+or+name%3D%22allEdgeRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 3
RESTY 2024/02/07 08:19:18 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+%22allEdgeRouters%22+or+name%3D%22allEdgeRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 4
RESTY 2024/02/07 08:19:19 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+%22allEdgeRouters%22+or+name%3D%22allEdgeRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 5
error: unable to list entities at https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+%22allEdgeRouters%22+or+name%3D%22allEdgeRouters%22 in Ziti Controller at https://ip-172-26-4-246:1280/edge/management/v1. Error: Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+%22allEdgeRouters%22+or+name%3D%22allEdgeRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused
RESTY 2024/02/07 08:19:20 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 1
RESTY 2024/02/07 08:19:20 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 2
RESTY 2024/02/07 08:19:20 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 3
RESTY 2024/02/07 08:19:20 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 4
RESTY 2024/02/07 08:19:21 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 5
error: unable to create edge-router-policies instance in Ziti Edge Controller at https://ip-172-26-4-246:1280/edge/management/v1. Error: Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused
----------  Creating a service edge router policy allowing all services to use #public edge routers
RESTY 2024/02/07 08:19:22 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies?filter=id+%3D+%22allSvcAllRouters%22+or+name%3D%22allSvcAllRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 1
RESTY 2024/02/07 08:19:22 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies?filter=id+%3D+%22allSvcAllRouters%22+or+name%3D%22allSvcAllRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 2
RESTY 2024/02/07 08:19:22 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies?filter=id+%3D+%22allSvcAllRouters%22+or+name%3D%22allSvcAllRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 3
RESTY 2024/02/07 08:19:22 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies?filter=id+%3D+%22allSvcAllRouters%22+or+name%3D%22allSvcAllRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 4
RESTY 2024/02/07 08:19:23 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies?filter=id+%3D+%22allSvcAllRouters%22+or+name%3D%22allSvcAllRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 5
error: unable to list entities at https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies?filter=id+%3D+%22allSvcAllRouters%22+or+name%3D%22allSvcAllRouters%22 in Ziti Controller at https://ip-172-26-4-246:1280/edge/management/v1. Error: Get "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies?filter=id+%3D+%22allSvcAllRouters%22+or+name%3D%22allSvcAllRouters%22": dial tcp 172.26.4.246:1280: connect: connection refused
RESTY 2024/02/07 08:19:24 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 1
RESTY 2024/02/07 08:19:24 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 2
RESTY 2024/02/07 08:19:24 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 3
RESTY 2024/02/07 08:19:24 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 4
RESTY 2024/02/07 08:19:25 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 5
error: unable to create service-edge-router-policies instance in Ziti Edge Controller at https://ip-172-26-4-246:1280/edge/management/v1. Error: Post "https://ip-172-26-4-246:1280/edge/management/v1/service-edge-router-policies": dial tcp 172.26.4.246:1280: connect: connection refused

USING ZITI_ROUTER_NAME: ip-172-26-4-246-edge-router
RESTY 2024/02/07 08:19:26 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 1
RESTY 2024/02/07 08:19:26 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 2
RESTY 2024/02/07 08:19:26 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 3
RESTY 2024/02/07 08:19:27 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 4
RESTY 2024/02/07 08:19:27 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 5
RESTY 2024/02/07 08:19:29 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 1
RESTY 2024/02/07 08:19:29 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 2
RESTY 2024/02/07 08:19:29 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 3
RESTY 2024/02/07 08:19:29 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 4
RESTY 2024/02/07 08:19:30 ERROR Get "https://ziti.redacted.com:8441/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 5
RESTY 2024/02/07 08:19:31 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 1
RESTY 2024/02/07 08:19:31 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 2
RESTY 2024/02/07 08:19:31 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 3
RESTY 2024/02/07 08:19:32 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 4
RESTY 2024/02/07 08:19:32 ERROR Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 5
error: unable to authenticate to https://ziti.redacted.com:8441. Error: Post "https://ziti.redacted.com:8441/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com
RESTY 2024/02/07 08:19:34 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers?filter=id+%3D+%22ip-172-26-4-246-edge-router%22+or+name%3D%22ip-172-26-4-246-edge-router%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 1
RESTY 2024/02/07 08:19:34 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers?filter=id+%3D+%22ip-172-26-4-246-edge-router%22+or+name%3D%22ip-172-26-4-246-edge-router%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 2
RESTY 2024/02/07 08:19:34 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers?filter=id+%3D+%22ip-172-26-4-246-edge-router%22+or+name%3D%22ip-172-26-4-246-edge-router%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 3
RESTY 2024/02/07 08:19:34 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers?filter=id+%3D+%22ip-172-26-4-246-edge-router%22+or+name%3D%22ip-172-26-4-246-edge-router%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 4
RESTY 2024/02/07 08:19:35 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers?filter=id+%3D+%22ip-172-26-4-246-edge-router%22+or+name%3D%22ip-172-26-4-246-edge-router%22": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 5
error: unable to list entities at https://ip-172-26-4-246:1280/edge/management/v1/edge-routers?filter=id+%3D+%22ip-172-26-4-246-edge-router%22+or+name%3D%22ip-172-26-4-246-edge-router%22 in Ziti Controller at https://ip-172-26-4-246:1280/edge/management/v1. Error: Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers?filter=id+%3D+%22ip-172-26-4-246-edge-router%22+or+name%3D%22ip-172-26-4-246-edge-router%22": dial tcp 172.26.4.246:1280: connect: connection refused
RESTY 2024/02/07 08:19:36 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 1
RESTY 2024/02/07 08:19:36 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 2
RESTY 2024/02/07 08:19:36 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 3
RESTY 2024/02/07 08:19:37 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 4
RESTY 2024/02/07 08:19:37 ERROR Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 5
error: unable to create edge-routers instance in Ziti Edge Controller at https://ip-172-26-4-246:1280/edge/management/v1. Error: Post "https://ip-172-26-4-246:1280/edge/management/v1/edge-routers": dial tcp 172.26.4.246:1280: connect: connection refused
public router configuration file written to: /home/ubuntu/.ziti/quickstart/ip-172-26-4-246/ip-172-26-4-246-edge-router.yaml
  --- There was an error during router enrollment, check the logs at /home/ubuntu/.ziti/quickstart/ip-172-26-4-246/ip-172-26-4-246-edge-router.enrollment.log ---
15

Hi @denMaier, welcome to the community and to OpenZiti!

RESTY 2024/02/07 08:19:11 ERROR Get "https://ziti.redacted.com:8441/edge/client/v1/version": tls: failed to verify certificate: x509: certificate is valid for ip-172-26-4-246, localhost, not ziti.redacted.com, Attempt 1

RESTY 2024/02/07 08:19:19 ERROR Get "https://ip-172-26-4-246:1280/edge/management/v1/edge-router-policies?filter=id+%3D+"allEdgeRouters"+or+name%3D"allEdgeRouters"": dial tcp 172.26.4.246:1280: connect: connection refused, Attempt 5

there are two errors there that seem really strange! I'm going to go spin up a brand new environment and test the quickstart out. This looks like somehow, the PKI required by OpenZiti (and generated by the quickstart) didn't succeed properly. The first error, it looks like your ziti.redacted.com address didn't make it into the PKI (which is what happens when you don't have the external dns set and run the quickstart. Did you happen to run it twice perhaps? Just a guess.

The second error is very strange since it shows port 1280. That's definitely wrong as the first error shows 8441.

I'll go run through a quickstat and post back any observations.

16

I was able to make a new VM in AWS and install the quickstart without these sorts of issues.

# setup my external dns
export EXTERNAL_DNS=ec2-3-16-150-173.us-east-2.compute.amazonaws.com

#setup some other information as per the doc 
export EXTERNAL_IP="$(curl -s eth0.me)"
export ZITI_CTRL_EDGE_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441
export ZITI_ROUTER_PORT=8442

# then i ran
source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/ziti-cli-functions.sh)"; expressInstall

Then I enabled systemd and verified it was running.

My best guess is that you ran the quickstart once and forgot to have all the holes in the firewall open (super easy thing to do) and then ran the quickstart again but there was some sort of state that survived between those installl attempts?

I would recommend you:

  • Delete the directory the quickstart uses completely: rm -r $HOME/.ziti
  • Exit your bash/zsh/terminal and launch a new one and connect to your VM (this ensures no variables are set in your shell to cause conflicts/issues)
  • Run through the quickstart again and report back.

If it fails again, please capture your full log and share it with me via dm or send it to clint at openziti.org and i'll look at your terminal session output.

Hope that helps

17

Hi @TheLumberjack, i guess something like that must have happened, because I ran the script multiple times since i couldn't figure out what was wrong. Maybe at first I had a totally different error.
I reset the whole thing using: Reset the Quickstart | OpenZiti
Maybe that was not enough to reset the problems I had?
Nonetheless, the deployment seemed to have worked after deleting the whole .ziti folder and opening a new terminal.
Thank you!

1 Like