Right place for the `alt_server_cert` in router config

Hi,

I'm struggling a bit: what is the right place to put the alt certs in? When a template config is created with ziti create config router edge --routerName test, I see three possible options:

identity:
 [...]
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""
[...]
#transport:
#  ws:
[...]
#    server_cert: /etc/ziti/config/test.server.chain.cert
#    key: /etc/ziti/config/test.key
#alt_server_certs:
#  - server_cert:  ""
#    server_key:   ""

I think the transport.ws.server_cert is an old / legacy thing.

But should it be next to identity or on top level?

Just tested it. It works when it is placed at identity.alt_server_certs, but it doesn't work at top level...

1 Like

from my browzer install:

v: 3

identity:
  cert:             "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.cert"
  server_cert:      "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.server.chain.cert"
  key:              "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.key"
  ca:               "/home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.cas"
  alt_server_certs:
    - server_cert:  "/data/docker/letsencrypt/live/clint.demo.openziti.org/fullchain.pem"
      server_key:   "/data/docker/letsencrypt/live/clint.demo.openziti.org/privkey.pem"

ctrl:
  endpoint:             tls:ip-172-31-11-231:6262

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:10080
      advertise:        tls:ec2-3-142-245-63.us-east-2.compute.amazonaws.com:10080
      options:
        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: ec2-3-142-245-63.us-east-2.compute.amazonaws.com:3022
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host #tproxy|host
  - binding: edge
    address: wss:0.0.0.0:8505
    options:
      advertise: wss.clint.demo.openziti.org:8505
      connectTimeoutMs: 5000
      getSessionTimeout: 60


edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - localhost
        - ec2-3-142-245-63.us-east-2.compute.amazonaws.com
        - ip-172-31-11-231
      ip:
        - "127.0.0.1"


transport:
  ws:
    writeTimeout: 10
    readTimeout: 5
    idleTimeout: 120
    pongTimeout: 60
    pingInterval: 54
    handshakeTimeout: 10
    readBufferSize: 4096
    writeBufferSize: 4096
    enableCompression: true
    server_cert: /home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.server.chain.cert
    key: /home/ubuntu/.ziti/quickstart/ip-172-31-11-231/ip-172-31-11-231-edge-router.key
alt_server_certs:
  - server_cert:  "/data/docker/letsencrypt/live/clint.demo.openziti.org/fullchain.pem"
    server_key:   "/data/docker/letsencrypt/live/clint.demo.openziti.org/privkey.pem"
forwarder:
  latencyProbeInterval: 0
  xgressDialQueueLength: 1000
  xgressDialWorkerCount: 128
  linkDialQueueLength: 1000
  linkDialWorkerCount: 32

you can see there are two places. one at the top, and another at the bottom. To be entirely honest, I don't know which one is needed any more. I didn't even notice this myself until just now. :slight_smile:

Also notice the wss binding in the listeners section.

That help? @qrkourier has been in here more recently than I have and might know for sure which of the sections are necessary (if not both)

In my test: It seems the only working place is when it is specified via identity.alt_server_certs. All other places don't work.

identity.alt_server_certs.server_cert
and
identity.alt_server_certs.server_key

are the correct config locations to specify the "public" certs browZer needs to facilitate wssER connections.

2 Likes

In summary, transport.ws.server_cert is the deprecated way to configure a different server cert for the WebSocket binding, and is superseded by the identity.alt_server_certs convention. Top-level alt_server_certs was never a thing.