Quickstart(ish): Can see service but can't access it

Hello!

I got a basic setup via the quickstart “host anywhere” option, which got everything up and running. I then (mostly) followed Zero Trust Host Access | OpenZiti with some modifications (primarily the service name, and also using the existing edge router identity for the host bind) to try to get my synology accessible via ziti as a test. I generated an identity jwt, passed it to a windows computer with the desktop edge, and added it successfully. I can see it showing one service (synology-chaos).

I cannot access it using curl synology-chaos.ziti. Accessing it directly using curl 192.168.42.7:5000 works fine on both the ziti host and the windows computer.

The service log on the Windows client says:

[2023-05-01T05:55:01.303Z]   ERROR ziti-sdk:connect.c:963 connect_reply_cb() conn[0.9/Connecting] failed to connect, reason=service 2atfjDdTVBSlVM0YWRnvah has no terminators
[2023-05-01T05:55:01.303Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: connection is closed

So that seems like a potential issue, and ziti edge list terminators shows no results.

Since that Host Access tutorial doesn’t mention terminators at all, I’m not sure where to go from there. Checking other docs, it sounds like it’s (in theory) meant to be set up by the create config host.v1 command, since that defines how to get to the actual host from the edge router?

Let me know if there’s any useful information I can provide that might help. I’m sure there’s probably something I’ve missed here, since everything seems to almost be there…

Often the “no terminators” error is just due to a misconfigured bind policy. Policy advisor can be incredibly helpful. If you run ziti edge policy-advisor services, do you show any identities which are authorized to bind the service?

That’s the first thing I would check.

Yep, running that gives a general guidelines text, and at the bottom:

Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST
-------------------------------------------------------------------------------
OKAY : ran-edge-router (1) -> synology-chaos.svc (1) Common Routers: (1/1) Dial: N Bind: Y

OKAY : amackenzie-home (1) -> synology-chaos.svc (1) Common Routers: (1/1) Dial: Y Bind: N

Does this look okay? amackenzie-home is the "user" identity being used on the Windows client.

Hmmm. Yes. The ‘ran-edge-router’ should be making a terminator. That’s strange indeed. Could you restart that router and see if that kickstarts the process? If so, that would point to a bug around service refresh not being accounted for quite right.

Let’s start there, restart the router and then see if you still get the ‘no terminator’ error.

Hmmm. I shut down the router using service ziti-router stop, checked ps aux | grep ziti to make sure it was gone, then started it again using service ziti-router start. I still get the no terminator error in the logs on the windows setup, and ziti edge list terminators on the host still do not show any terminators.

pi@ran:~ $ ziti edge list terminators
╭────┬─────────┬────────┬─────────┬─────────┬──────────┬──────┬────────────┬──────────────╮
│ ID │ SERVICE │ ROUTER │ BINDING │ ADDRESS │ IDENTITY │ COST │ PRECEDENCE │ DYNAMIC COST │
├────┼─────────┼────────┼─────────┼─────────┼──────────┼──────┼────────────┼──────────────┤
╰────┴─────────┴────────┴─────────┴─────────┴──────────┴──────┴────────────┴──────────────╯
results: none

Unrelated note that I was reminded of when logging on to test this, sourcing the env quickstart file has some minor warnings:

pi@ran:~ $ source .ziti/quickstart/ran/ran.env
bash: alias: -y: not found
bash: alias: -y: not found

                  ziti binaries are located at: /home/pi/.ziti/quickstart/ran/ziti-bin/ziti-v0.27.9
add this to your path if you want by executing: export PATH=$PATH:/home/pi/.ziti/quickstart/ran/ziti-bin/ziti-v0.27.9

As far as I can tell those are from the zitiLogin command, which seems to work fine still.

And just to confirm, can you check ziti edge list identities and verify that ran-edge-router is indeed a “Router” identity and then run ziti edge list edge-routers and verify that the router shows online? What you have seems correct to me, but sometimes it’s hard to get straight in my head and know without seeing all the commands that you’ve run.

For the alias -y issue, that was a bug that was resolved. If you source the file again, it shouldn’t contain the errant quote (") that was causing this error.

What you’re doing seems correct to me. If you’re ok with providing me the output, if you could just run the following commands to give me a proper view of what you have so far, that’d be best. If you don’t want to publish here for any reason, feel free to dm me on discourse or email me clint at openziti.org:

ziti edge list edge-routers
ziti edge list identities
ziti edge list configs
ziti edge list services
ziti edge list service-policies

alias zlogin='ziti edge login "${ZITI_EDGE_CTRL_ADVERTISED}" -u "${ZITI_USER-}" -p "${ZITI_PWD}"' -y
alias zitiLogin='ziti edge login "${ZITI_EDGE_CTRL_ADVERTISED}" -u "${ZITI_USER-}" -p "${ZITI_PWD}"' -y

I think all the quotes line up in it? This is a pretty fresh install (reinstalled yesterday for testing), so not sure why it’s doing that. Can reinstall from scratch if needed since I’ve done the quickstart a few times and threw all that + some config stuff in some scripts for ease of use at this point.

As for the commands:

pi@ran:~ $ ziti edge list edge-routers
╭────────────┬─────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME            │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼─────────────────┼────────┼───────────────┼──────┼────────────┤
│ BHK9l7Ne1K │ ran-edge-router │ true   │ true          │    0 │ public     │
╰────────────┴─────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-1 of 1
pi@ran:~ $ ziti edge list identities
╭────────────┬─────────────────┬────────┬──────────────────┬─────────────╮
│ ID         │ NAME            │ TYPE   │ ATTRIBUTES       │ AUTH-POLICY │
├────────────┼─────────────────┼────────┼──────────────────┼─────────────┤
│ BHK9l7Ne1K │ ran-edge-router │ Router │                  │ default     │
│ JcZfzmtEE  │ amackenzie-home │ User   │ synology-clients │ default     │
│ j1JsELhww  │ Default Admin   │ User   │                  │ default     │
╰────────────┴─────────────────┴────────┴──────────────────┴─────────────╯
results: 1-3 of 3
pi@ran:~ $ ziti edge list configs
╭────────────────────────┬─────────────────────────────┬──────────────╮
│ ID                     │ NAME                        │ CONFIG TYPE  │
├────────────────────────┼─────────────────────────────┼──────────────┤
│ 5clTXOsR6a47HksAyMTkTD │ synology-chaos.host.v1      │ host.v1      │
│ 7iDpKSRRDfn8J04ckPdRyD │ synology-chaos.intercept.v1 │ intercept.v1 │
╰────────────────────────┴─────────────────────────────┴──────────────╯
results: 1-2 of 2
pi@ran:~ $ ziti edge list services
╭────────────────────────┬────────────────────┬────────────┬─────────────────────┬────────────╮
│ ID                     │ NAME               │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│                        │                    │  REQUIRED  │                     │            │
├────────────────────────┼────────────────────┼────────────┼─────────────────────┼────────────┤
│ 2atfjDdTVBSlVM0YWRnvah │ synology-chaos.svc │ true       │ smartrouting        │            │
╰────────────────────────┴────────────────────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1
pi@ran:~ $ ziti edge list service-policies
╭────────────────────────┬────────────────────────────┬──────────┬─────────────────────┬───────────────────┬─────────────────────╮
│ ID                     │ NAME                       │ SEMANTIC │ SERVICE ROLES       │ IDENTITY ROLES    │ POSTURE CHECK ROLES │
├────────────────────────┼────────────────────────────┼──────────┼─────────────────────┼───────────────────┼─────────────────────┤
│ 2UEFBewrkl298sZKPtRwi0 │ synology-chaos.policy.dial │ AllOf    │ @synology-chaos.svc │ #synology-clients │                     │
│ 4vELgixsoIqSZtDfdxO1aN │ synology-chaos.policy.bind │ AllOf    │ @synology-chaos.svc │ @ran-edge-router  │                     │
╰────────────────────────┴────────────────────────────┴──────────┴─────────────────────┴───────────────────┴─────────────────────╯
results: 1-2 of 2

Is that what is in your $HOME/.ziti/quickstart/ran/ran.env file? There should be an errant quote at the end of that line. It was fixed very recently with this pr. I

Your setup looks fine to me. One last thing to check, can you run ziti edge show config synology-chaos.host.v1 and ziti edge list services -j for the second one, I'm looking for the "configs" section to make sure the service has both configs attached to it. For example I'd expect to see:

"configs": [
    "5clTXOsR6a47HksAyMTkTD",
    "7iDpKSRRDfn8J04ckPdRyD"
],

You should see both your config id's listed: 5clTXOsR6a47HksAyMTkTD and 7iDpKSRRDfn8J04ckPdRyD as shown above.

Screenshot of that section of ran.env: https://i.imgur.com/EDjnxgC.png

I do see that in the commands you provided:

pi@ran:~ $ ziti edge show config synology-chaos.host.v1
{
    "address": "192.168.42.7",
    "port": 5000,
    "protocol": "tcp"
}
pi@ran:~ $ ziti edge list services -j
{
    "data": [
        {
            "_links": {
                "configs": {
                    "href": "./services/2atfjDdTVBSlVM0YWRnvah/configs"
                },
                "self": {
                    "href": "./services/2atfjDdTVBSlVM0YWRnvah"
                },
                "service-edge-router-policies": {
                    "href": "./services/2atfjDdTVBSlVM0YWRnvah/service-edge-router-policies"
                },
                "service-policies": {
                    "href": "./services/2atfjDdTVBSlVM0YWRnvah/service-policies"
                },
                "terminators": {
                    "href": "./services/2atfjDdTVBSlVM0YWRnvah/terminators"
                }
            },
            "createdAt": "2023-05-01T01:37:36.516Z",
            "id": "2atfjDdTVBSlVM0YWRnvah",
            "tags": {},
            "updatedAt": "2023-05-01T01:37:36.516Z",
            "config": {},
            "configs": [
                "5clTXOsR6a47HksAyMTkTD",
                "7iDpKSRRDfn8J04ckPdRyD"
            ],
            "encryptionRequired": true,
            "name": "synology-chaos.svc",
            "permissions": [
                "Bind",
                "Dial"
            ],
            "postureQueries": [],
            "roleAttributes": null,
            "terminatorStrategy": "smartrouting"
        }
    ],
    "meta": {
        "filterableFields": [
            "createdAt",
            "updatedAt",
            "isSystem",
            "name",
            "roleAttributes",
            "configs",
            "terminatorStrategy",
            "id",
            "tags"
        ],
        "pagination": {
            "limit": 10,
            "offset": 0,
            "totalCount": 1
        }
    }
}

Roughly in the middle!

Oh geez, that’s a different bug indeed. I’ll get that fixed. You need to update the file for the annoying error to go away… The ending apostrophe belongs at the end of the line:

image894×139 12.6 KB

I’ll get that fixed up, thanks for letting me know!

As for the terminator problem, that’s very strange. Usually when I find myself in this situation I have something subtle somewhere that I’ve missed.

If you tail and follow your log, then restat the router, do you see 4 message like this in the log?

May 01 17:22:21 ip-172-31-11-231 ziti-router[3077036]: {"file":"github.com/openziti/edge@v0.24.239/tunnel/intercept/svcpoll.go:242","func":"github.com/openziti/edge/tunnel/intercept.(*ServiceListener).addService","level":"info","msg":"Hosting newly available service","serviceId":"3DBzMS6KWTfnZva4mGMurY","serviceName":"weather-svc","time":"2023-05-01T17:22:21.897Z"}
May 01 17:22:21 ip-172-31-11-231 ziti-router[3077036]: {"file":"github.com/openziti/edge@v0.24.239/router/xgress_edge_tunnel/fabric.go:312","func":"github.com/openziti/edge/router/xgress_edge_tunnel.(*fabricProvider).establishTerminatorWithRetry.func1","level":"info","msg":"attempting to establish terminator","service":"weather-svc","time":"2023-05-01T17:22:21.897Z"}
May 01 17:22:21 ip-172-31-11-231 ziti-router[3077036]: {"file":"github.com/openziti/edge@v0.24.239/router/xgress_edge_tunnel/fabric.go:404","func":"github.com/openziti/edge/router/xgress_edge_tunnel.(*fabricProvider).HandleTunnelResponse","level":"info","msg":"received new session","routerId":"q4Am7dpMfW","sessionId":"clh0lfweo01vlabqfszgbmgeg","terminatorId":"73fdde54-9c58-4337-a24e-1e8dc5f66c3b","time":"2023-05-01T17:22:21.901Z"}
May 01 17:22:21 ip-172-31-11-231 ziti-router[3077036]: {"createDuration":4514889,"file":"github.com/openziti/edge@v0.24.239/router/xgress_edge_tunnel/fabric.go:426","func":"github.com/openziti/edge/router/xgress_edge_tunnel.(*fabricProvider).HandleTunnelResponse","level":"info","msg":"received terminator created notification","routerId":"q4Am7dpMfW","terminatorId":"73fdde54-9c58-4337-a24e-1e8dc5f66c3b","time":"2023-05-01T17:22:21.901Z"}

Basically, it goes:

• “Hosting newly available service”
• “attempting to establish terminator”
• “received new session”
• “received terminator created notification”

Oh geeze, this is a bit nutty and I almost certainly did something wrong somewhere. These are longer, so I threw them on pastebin.

ziti-router log: ziti-router - Pastebin.com

ziti-controller log: ziti-controller - Pastebin.com

So I followed the log (journalctl -u ziti-router --no-pager -f) and noticed it was giving errors connecting to the controller (roughly at 10:36:17 in this log. So I shut down the router, shut down the controller, turned on the controller, turned on the router, and it looks working now.

10:36:17 in the router log:

May 01 10:36:17 ran ziti-router[27060]: {"endpoint":"tls:ziti.broken-mirror.net:6262","error":"error connecting ctrl (context deadline exceeded)","file":"github.com/openziti/fabric@v0.22.87/router/env/ctrls.go:125","func":"github.com/openziti/fabric/router/env.(*networkControllers).connectToControllerWithBackoff.func2","level":"error","msg":"unable to connect controller","time":"2023-05-01T10:36:17.266Z"}
May 01 10:36:19 ran ziti-router[27060]: {"endpoint":"tls:ziti.broken-mirror.net:6262","error":"error connecting ctrl (context deadline exceeded)","file":"github.com/openziti/fabric@v0.22.87/router/env/ctrls.go:125","func":"github.com/openziti/fabric/router/env.(*networkControllers).connectToControllerWithBackoff.func2","level":"error","msg":"unable to connect controller","time":"2023-05-01T10:36:19.155Z"}
May 01 10:36:21 ran ziti-router[27060]: {"endpoint":"tls:ziti.broken-mirror.net:6262","error":"error connecting ctrl (context deadline exceeded)","file":"github.com/openziti/fabric@v0.22.87/router/env/ctrls.go:125","func":"github.com/openziti/fabric/router/env.(*networkControllers).connectToControllerWithBackoff.func2","level":"error","msg":"unable to connect controller","time":"2023-05-01T10:36:21.053Z"}
May 01 10:36:24 ran ziti-router[27060]: {"endpoint":"tls:ziti.broken-mirror.net:6262","error":"error connecting ctrl (context deadline exceeded)","file":"github.com/openziti/fabric@v0.22.87/router/env/ctrls.go:125","func":"github.com/openziti/fabric/router/env.(*networkControllers).connectToControllerWithBackoff.func2","level":"error","msg":"unable to connect controller","time":"2023-05-01T10:36:24.129Z"}

At the same time in the controller:

May 01 10:36:17 ran ziti-controller[3327]: {"_context":"tls:0.0.0.0:6262","file":"github.com/openziti/channel/v2@v2.0.58/classic_listener.go:154","func":"github.com/openziti/channel/v2.(*classicListener).acceptConnection.func1","level":"error","msg":"error receiving hello from [tls:127.0.0.1:54728] (receive error (EOF))","time":"2023-05-01T10:36:17.076Z"}
May 01 10:36:18 ran ziti-controller[3327]: {"_context":"tls:0.0.0.0:6262","file":"github.com/openziti/channel/v2@v2.0.58/classic_listener.go:154","func":"github.com/openziti/channel/v2.(*classicListener).acceptConnection.func1","level":"error","msg":"error receiving hello from [tls:127.0.0.1:54736] (receive error (EOF))","time":"2023-05-01T10:36:18.325Z"}
May 01 10:36:20 ran ziti-controller[3327]: {"_context":"tls:0.0.0.0:6262","file":"github.com/openziti/channel/v2@v2.0.58/classic_listener.go:154","func":"github.com/openziti/channel/v2.(*classicListener).acceptConnection.func1","level":"error","msg":"error receiving hello from [tls:127.0.0.1:54752] (receive error (read tcp 127.0.1.1:6262-\u003e127.0.0.1:54752: read: connection reset by peer))","time":"2023-05-01T10:36:20.264Z"}
May 01 10:36:22 ran ziti-controller[3327]: {"_context":"tls:0.0.0.0:6262","file":"github.com/openziti/channel/v2@v2.0.58/classic_listener.go:154","func":"github.com/openziti/channel/v2.(*classicListener).acceptConnection.func1","level":"error","msg":"error receiving hello from [tls:127.0.0.1:54762] (receive error (read tcp 127.0.1.1:6262-\u003e127.0.0.1:54762: i/o timeout))","time":"2023-05-01T10:36:22.124Z"}

I didn’t scroll up far enough to see this when I just glanced at the log output on service ziti-controller status, so that’s on me for not reading enough.

The controller was running and didn’t have any recurring errors except for that small block when the router tried to do stuff, so I’m not sure if I configured something wrong there. The restart of both the router and controller appears to have fixed it for now though, which makes me a bit wary that it might come back.

EDIT: Additional info: The most surprising thing is that this happened past a restart of the host raspberry pi in between setting up the quickstart and currently, which is why I’m a bit weirded out that restarting both services appears to have fixed it for now.

Ok cool, we're getting there! These look like simple misconfigurations is all. So my guess is that for 'reasons' the advertised address of the controller is not reachable from the router. That would prevent the router from being told to host a service and explains why there are no terminators nicely.

Let's now look into the controller config file. The "ctrl.listener" value will look something like mine:

listener:             tls:0.0.0.0:6262

Then look at the router config and find the "ctrl.endpoint" value. and it should look something like:

ctrl:
  endpoint:             tls:sg3u22:6262

I'm guessing the router can't get to "ran:6262" (assuming 'ran' is your hostname). Can you try an openssl connect command to that port? Or verify that you can resolve "run"? I think that's the problem now, the router just can't connect to the controller for some reason.

well that's definitely not expected, but maybe somehow the value is resolving?

That should be all you need to do... Strange that it 'fixed itself' though, I didn't anticipate that

Definitely something going on there.

pi@ran:~/.ziti/quickstart/ran $ grep listener ./ran.yaml
  listener:             tls:0.0.0.0:6262
  listener:             tls:0.0.0.0:10000
  # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
pi@ran:~/.ziti/quickstart/ran $ grep endpoint ./ran-edge-router.yaml
  endpoint:             tls:ziti.broken-mirror.net:6262
pi@ran:~/.ziti/quickstart/ran $ ping ran
PING ran (127.0.1.1) 56(84) bytes of data.
64 bytes from ran (127.0.1.1): icmp_seq=1 ttl=64 time=0.209 ms
64 bytes from ran (127.0.1.1): icmp_seq=2 ttl=64 time=0.158 ms
^C
--- ran ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1023ms
rtt min/avg/max/mdev = 0.158/0.183/0.209/0.025 ms
pi@ran:~/.ziti/quickstart/ran $ ping ziti.broken-mirror.net
PING ran (127.0.1.1) 56(84) bytes of data.
64 bytes from ran (127.0.1.1): icmp_seq=1 ttl=64 time=0.195 ms
64 bytes from ran (127.0.1.1): icmp_seq=2 ttl=64 time=0.177 ms
^C
--- ran ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.177/0.186/0.195/0.009 ms

SS of relevant part in ran.yaml: https://i.imgur.com/vVQE58p.png

SS of relevant part in ran-edge-router.yaml: https://i.imgur.com/uaaA6Lq.png

Just to clarify, the quickstart was run with EXTERNAL_DNS set to ziti.broken-mirror.net, so that value probably isn’t wrong, unless I’m misinterpreting it.

EDIT: Took less searching than expected:

pi@ran:~/.ziti/quickstart/ran $ openssl s_client --connect ran:6262
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
verify return:1
depth=1 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate
verify return:1
depth=0 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran server certificate
verify return:1
---
Certificate chain
 0 s:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran server certificate
   i:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate
 1 s:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate
   i:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
 2 s:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
   i:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF+zCCA+OgAwIBAgIQLDF40K4JYRXR3nciOJDsJTANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG
b3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMRkwFwYDVQQDExByYW4taW50ZXJtZWRp
YXRlMB4XDTIzMDUwMTAxMTIyNFoXDTI0MDQzMDAxMTI1MlowaTELMAkGA1UEBhMC
VVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4G
A1UECxMHQURWLURFVjEfMB0GA1UEAxMWcmFuIHNlcnZlciBjZXJ0aWZpY2F0ZTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQGoOFNcblAniXbxIQEYc9+
MyjnLE9RrxeRbp2rQ10tI4ggxrQj09OPm7E37RwQZwG6nKJLwqUYr+nqtz7dVhai
BtRHzgT347ekDBuW7fleyk6Lr/S356aCCLUed8EX3nEkp/jCIMmR3NOEX1m2PQHF
XtC9VoyWDQyJOxNkLk6mS2OZj+TlWJBWP0WNoYcKpO3CoY2K3hGWqnY52wybsCSZ
4t/GghDir/p1t47UjQrf8gpFYyA2r+JyGxkha8R8UQxStuBBwCJXKOYjVX6gMz2P
ZJGVGXFTj2LuJZjHR0+foOIEfsqp/7WazoTBId5uZgYoVA1Q2mZAdc01rwcRM5kc
eRq7Py6w2AG8QeGhN0su/pSIZJzjkZ/JgjFyQbxhLl4DU2AfgTr3VAhY+zMNigv4
3Nv2lczUyoQtIjdcy1vPTMLptc99dWtNpQNzyGhBfQO5OQ7v2Db9unQ+c/u55U3/
DaskVDVKXmpJaP94BHb2V8ZdgLdXBmphd8U8Qxv07Yi9tCMBMnZLHeDXOEy8oTw6
xM1z+rt0F9RWg6Mu63SArOXiIywF1hCmYj5sCtK5dNugoDBXKzchcOSPrXm7sd/x
QrI9lDfvPoeaqw8botOOHU0ssDYRq8mAXWlDKBRRg9n+TRgFcZcrdF9l4KVF54ne
2YqWP6dYeZ5aP/7xxnf1AgMBAAGjgaQwgaEwDgYDVR0PAQH/BAQDAgXgMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFEOiOjvMfAUiSXKgoCaD3DUy6jkNMB8GA1UdIwQY
MBaAFKGh8/qpjZbPdH/HJSiKDbyJX6MLMEEGA1UdEQQ6MDiCA3JhboIJbG9jYWxo
b3N0ggNyYW6CA3JhboIWeml0aS5icm9rZW4tbWlycm9yLm5ldIcEfwAAATANBgkq
hkiG9w0BAQsFAAOCAgEA2DlObjkN62x1q9YpVO7LxDirMB37iVDYFwtoM7hfhTt5
AMicrywxliYrABAqISON1XlmSQWQotO7vqIcwl/bhl4DKDO7FNRfXxi41HCHTsEo
beZiYG3KGD6EPhFMsiK1m2980+bvttnT6k79Wok8RSEANdRjfuLOPnG0u81ZB0Iy
KeEno3JGQcnMPpaWUP8Ljp3JjVFZ5m2nPcysvfrsLy6TqbY+7J2o8Iougz9TidoA
v/iTFx1MfXCzKddRhzLPyc62KdBnEg5dNtyk0GXye0xQQaqlsflT4KnXUh5ktXtW
2Qt+zL2NcaogwrPvNyJdJ5ebitXI3XIPPLB/h+W0VML8tmErap5cMbB1tUp3NKhu
VMqn0XLVqYl8cY4dy55xJiBqnJqyqWgvUe499fFDY+rkDtxuTwPMnvCj6b4qhb/z
HRe4XUx70tNVoVCvr3sPCghA5AkHEnWohuR2Sw6MDxkJXykDUwETPTAxwpYZfUFD
k58+j+2uy/IEctW9hPO9Q3QG6dkpJwk1M3c1uSaZd5YTMQcpQVzhf0OI7EXewbdP
6tpDOz5nIL6Ht9v/eRMQ27yAkL1CquBjZNX6FcKXUQXxLqf1kxe49qs7KDFDUuCl
81tv5dxb4F09OWfspivgMPEie3GPsspqLs7FHJu57fpfgonwxv4w3uJsiESoc7Q=
-----END CERTIFICATE-----
subject=C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran server certificate

issuer=C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate

---
No client certificate CA names sent
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5347 bytes and written 377 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
3069390864:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

I’m not sure what would be a “correct” output for this command though.

What happens when you run openssl s_client -connect ziti.broken-mirror.net:6262? That's the value the router needs to resolve per your screenshot and per your comment wrt EXTERNAL_DNS="ziti.broken-mirror.net".

Pretty similar result:

pi@ran:~ $ openssl s_client -connect ziti.broken-mirror.net:6262
CONNECTED(00000003)
depth=2 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
verify return:1
depth=1 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate
verify return:1
depth=0 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran server certificate
verify return:1
---
Certificate chain
 0 s:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran server certificate
   i:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate
 1 s:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate
   i:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
 2 s:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
   i:C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF+zCCA+OgAwIBAgIQLDF40K4JYRXR3nciOJDsJTANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG
b3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMRkwFwYDVQQDExByYW4taW50ZXJtZWRp
YXRlMB4XDTIzMDUwMTAxMTIyNFoXDTI0MDQzMDAxMTI1MlowaTELMAkGA1UEBhMC
VVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4G
A1UECxMHQURWLURFVjEfMB0GA1UEAxMWcmFuIHNlcnZlciBjZXJ0aWZpY2F0ZTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQGoOFNcblAniXbxIQEYc9+
MyjnLE9RrxeRbp2rQ10tI4ggxrQj09OPm7E37RwQZwG6nKJLwqUYr+nqtz7dVhai
BtRHzgT347ekDBuW7fleyk6Lr/S356aCCLUed8EX3nEkp/jCIMmR3NOEX1m2PQHF
XtC9VoyWDQyJOxNkLk6mS2OZj+TlWJBWP0WNoYcKpO3CoY2K3hGWqnY52wybsCSZ
4t/GghDir/p1t47UjQrf8gpFYyA2r+JyGxkha8R8UQxStuBBwCJXKOYjVX6gMz2P
ZJGVGXFTj2LuJZjHR0+foOIEfsqp/7WazoTBId5uZgYoVA1Q2mZAdc01rwcRM5kc
eRq7Py6w2AG8QeGhN0su/pSIZJzjkZ/JgjFyQbxhLl4DU2AfgTr3VAhY+zMNigv4
3Nv2lczUyoQtIjdcy1vPTMLptc99dWtNpQNzyGhBfQO5OQ7v2Db9unQ+c/u55U3/
DaskVDVKXmpJaP94BHb2V8ZdgLdXBmphd8U8Qxv07Yi9tCMBMnZLHeDXOEy8oTw6
xM1z+rt0F9RWg6Mu63SArOXiIywF1hCmYj5sCtK5dNugoDBXKzchcOSPrXm7sd/x
QrI9lDfvPoeaqw8botOOHU0ssDYRq8mAXWlDKBRRg9n+TRgFcZcrdF9l4KVF54ne
2YqWP6dYeZ5aP/7xxnf1AgMBAAGjgaQwgaEwDgYDVR0PAQH/BAQDAgXgMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFEOiOjvMfAUiSXKgoCaD3DUy6jkNMB8GA1UdIwQY
MBaAFKGh8/qpjZbPdH/HJSiKDbyJX6MLMEEGA1UdEQQ6MDiCA3JhboIJbG9jYWxo
b3N0ggNyYW6CA3JhboIWeml0aS5icm9rZW4tbWlycm9yLm5ldIcEfwAAATANBgkq
hkiG9w0BAQsFAAOCAgEA2DlObjkN62x1q9YpVO7LxDirMB37iVDYFwtoM7hfhTt5
AMicrywxliYrABAqISON1XlmSQWQotO7vqIcwl/bhl4DKDO7FNRfXxi41HCHTsEo
beZiYG3KGD6EPhFMsiK1m2980+bvttnT6k79Wok8RSEANdRjfuLOPnG0u81ZB0Iy
KeEno3JGQcnMPpaWUP8Ljp3JjVFZ5m2nPcysvfrsLy6TqbY+7J2o8Iougz9TidoA
v/iTFx1MfXCzKddRhzLPyc62KdBnEg5dNtyk0GXye0xQQaqlsflT4KnXUh5ktXtW
2Qt+zL2NcaogwrPvNyJdJ5ebitXI3XIPPLB/h+W0VML8tmErap5cMbB1tUp3NKhu
VMqn0XLVqYl8cY4dy55xJiBqnJqyqWgvUe499fFDY+rkDtxuTwPMnvCj6b4qhb/z
HRe4XUx70tNVoVCvr3sPCghA5AkHEnWohuR2Sw6MDxkJXykDUwETPTAxwpYZfUFD
k58+j+2uy/IEctW9hPO9Q3QG6dkpJwk1M3c1uSaZd5YTMQcpQVzhf0OI7EXewbdP
6tpDOz5nIL6Ht9v/eRMQ27yAkL1CquBjZNX6FcKXUQXxLqf1kxe49qs7KDFDUuCl
81tv5dxb4F09OWfspivgMPEie3GPsspqLs7FHJu57fpfgonwxv4w3uJsiESoc7Q=
-----END CERTIFICATE-----
subject=C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran server certificate

issuer=C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate

---
No client certificate CA names sent
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5347 bytes and written 408 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
3069399056:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

oh well then that’s good. Can you run:

openssl s_client -connect ziti.broken-mirror.net:6262 | openssl x509 -text | grep -A2 "Subject Alternative"

We’re looking to verify the “X509v3 Subject Alternative Name:” is returning “ziti.broken-mirror.net” in there.

It does indeed show up there, as one of the DNS entries:

pi@ran:~ $ openssl s_client -connect ziti.broken-mirror.net:6262 | openssl x509 -text | grep -A2 "Subject Alternative"
depth=2 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-root-ca Root CA
verify return:1
depth=1 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran-intermediate
verify return:1
depth=0 C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = ran server certificate
verify return:1
3069366288:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42
            X509v3 Subject Alternative Name:
                DNS:ran, DNS:localhost, DNS:ran, DNS:ran, DNS:ziti.broken-mirror.net, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption

Firstly, thanks for being responsive and hanging in there! That’s “great”… Could the IP have changed? Or anything else environmental? Were you able to pass traffic now and are you successful other than this interesting issue of “it didn’t work and now it does”?

No worries, I’m actually thankful that you’re so patient! It’s a huge learning experience for me.

The IP is unlikely to change since it’s a static assignment from the local DHCP server (the pi is always .8). The external value for ziti.broken-mirror.net can theoretically change, but it doesn’t look like it has for a few months now; internally the DNS maps that to the pi’s IP (192.168.42.8). I think it’s aliased to localhost on the pi itself.

Changing environment is possible, since I’ve re-done the quickstart a few times to figure out other things up to this point, but to be honest, this is the first success so far, haha.

Currently, it seems to be accessing properly both through browser and using curl on a separate windows computer, so that’s a good start! If it keeps working, I’ll be trying it with some other stuff as well; I just figured a fancy web interface on the synology would be an easy start.

Indeed! and it should have been! You did all the things right, except "look in the logs for issues".

Glad you got it working, if you can ever reproduce the problem (which I'm hoping you can't) then let us know and we'll see if there's something crazy going on! Usually once you get the network setup, as you have, you probably won't need to touch it though!

Ohhhh. One thing. If you re-run the quickstart, you should most definitely rm the whole $HOME/.ziti folder. It's definitely possible you had a PKI mismatch if you didn't stop all the things (router/controller) and then start all the things... THAT has happened to me before (forgetting to stop the router). That ends up with a router PKI that is not from the newly deploy controller and since OpenZiti is all about mTLS, that router wouldn't have been able to communicate to the controller due to the mismatched PKI.

So, if you want to "rerun the quickstart" make sure you rm $HOME/.ziti