Hi,
I'm struggling a bit: what is the right place to put the alt certs in? When a template config is created with ziti create config router edge --routerName test, I see three possible options:
identity:
[...]
#alt_server_certs:
# - server_cert: ""
# server_key: ""
[...]
#transport:
# ws:
[...]
# server_cert: /etc/ziti/config/test.server.chain.cert
# key: /etc/ziti/config/test.key
#alt_server_certs:
# - server_cert: ""
# server_key: ""
I think the transport.ws.server_cert is an old / legacy thing.
But should it be next to identity or on top level?
Just tested it. It works when it is placed at identity.alt_server_certs, but it doesn't work at top level...
1 Like
from my browzer install:
v: 3
identity:
cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.cert"
server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.server.chain.cert"
key: "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.key"
ca: "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.cas"
alt_server_certs:
- server_cert: "/data/docker/letsencrypt/live/clint.demo.openziti.org/fullchain.pem"
server_key: "/data/docker/letsencrypt/live/clint.demo.openziti.org/privkey.pem"
ctrl:
endpoint: tls:ip-172-31-11-231:6262
link:
dialers:
- binding: transport
listeners:
- binding: transport
bind: tls:0.0.0.0:10080
advertise: tls:ec2-3-142-245-63.us-east-2.compute.amazonaws.com:10080
options:
outQueueSize: 4
listeners:
# bindings of edge and tunnel requires an "edge" section below
- binding: edge
address: tls:0.0.0.0:3022
options:
advertise: ec2-3-142-245-63.us-east-2.compute.amazonaws.com:3022
connectTimeoutMs: 5000
getSessionTimeout: 60
- binding: tunnel
options:
mode: host #tproxy|host
- binding: edge
address: wss:0.0.0.0:8505
options:
advertise: wss.clint.demo.openziti.org:8505
connectTimeoutMs: 5000
getSessionTimeout: 60
edge:
csr:
country: US
province: NC
locality: Charlotte
organization: NetFoundry
organizationalUnit: Ziti
sans:
dns:
- localhost
- ec2-3-142-245-63.us-east-2.compute.amazonaws.com
- ip-172-31-11-231
ip:
- "127.0.0.1"
transport:
ws:
writeTimeout: 10
readTimeout: 5
idleTimeout: 120
pongTimeout: 60
pingInterval: 54
handshakeTimeout: 10
readBufferSize: 4096
writeBufferSize: 4096
enableCompression: true
server_cert: /home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.server.chain.cert
key: /home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.key
alt_server_certs:
- server_cert: "/data/docker/letsencrypt/live/clint.demo.openziti.org/fullchain.pem"
server_key: "/data/docker/letsencrypt/live/clint.demo.openziti.org/privkey.pem"
forwarder:
latencyProbeInterval: 0
xgressDialQueueLength: 1000
xgressDialWorkerCount: 128
linkDialQueueLength: 1000
linkDialWorkerCount: 32
you can see there are two places. one at the top, and another at the bottom. To be entirely honest, I don't know which one is needed any more. I didn't even notice this myself until just now.
Also notice the wss binding in the listeners section.
That help? @qrkourier has been in here more recently than I have and might know for sure which of the sections are necessary (if not both)
In my test: It seems the only working place is when it is specified via identity.alt_server_certs. All other places don't work.
curt
July 3, 2024, 9:29pm
4
identity.alt_server_certs.server_certidentity.alt_server_certs.server_key
are the correct config locations to specify the "public" certs browZer needs to facilitate wssER connections.
2 Likes
In summary, transport.ws.server_cert is the deprecated way to configure a different server cert for the WebSocket binding, and is superseded by the identity.alt_server_certs convention. Top-level alt_server_certs was never a thing.
