Hi Openziti teams,
I’ve encountered a little problem about router’s identity status.
I’ve searched these topics:
After Upgrade Router Identity not online - openziti
Get Identity online status in CLI - openziti
Routers versus Identity Status - Support - openziti
But these do not help me locate what happened…
All I have do is replaced the controller’s cert and customized these five router’s cert default value:
DefaultEdgeRouterCsrC = "US"
DefaultEdgeRouterCsrST = "NC"
DefaultEdgeRouterCsrL = "Charlotte"
DefaultEdgeRouterCsrO = "NetFoundry"
DefaultEdgeRouterCsrOU = "Ziti"
After I re-install the whole system, I’ve found that the services with the target router work well and the bubbles on the console’s router page is “green” as usually. But the bubble at the identity page is gray.
I’ve checked the status by this command:
ziti edge list identities 'name="router-04"' -j | jq -r '.data[] | [.edgeRouterConnectionStatus, .hasEdgeRouterConnection, .hasApiSession] | @csv'
And got the result: "offline",false,false
Is this condition same with the issue: better depiction of router identity · Issue #663 · openziti/ziti-console?
Or, the default value for signing router’s cert can’t be modify?
I’m sure that the cert chain at both controller and router is valid.
Thanks
Hi @Alonza0314 welcome to the community 
Edge routers only have an associated identity if they are configured as ‘tunneler enabled’. The associated identity will only show as connected if the router is running the tunneler component. Can you check your router config and see if it has a tunnel binding in the listeners section, something like:
listeners:
- binding: tunnel
options:
mode: host
Also note that hasApiSession will likely always be false, as edge routers no longer use api sessions for validation, rather they use the router connection which guarantees identity. So my test instance shows the following:
"edgeRouterConnectionStatus": "online",
"hasApiSession": false,
"hasEdgeRouterConnection": true,
If your setup looks correct, let us know, and we’ll see if there’s something else going on.
Thank you,
Paul
Hi Paul,
I’ve checked the config and it has the config of tunneler enabled like yours.
This “offline” condition is exist after I modify those five default value. I used the same install procedure before and after the modification.
I traced the ziti’s source code but nothing helpful😭.
Is it caused by identity verify fail?
So before you updated the cert the identity values showed as online, and after they didn’t? Do you see any error messages in the controller or router?
Thank you,
Paul
Yes, it’s online before modifying those five value.
That is a point I confused. The system logs do not exist any error on both controller and router.
In additional, the service intercepted by the router is work well as usual.