Service is not accessible

1

I have created some identities and related service policies as follows.

mango@bluesky tmp % ziti edge list service-policies     
╭────────────────────────┬───────────┬──────────┬───────────────┬────────────────┬─────────────────────╮
│ ID                     │ NAME      │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES │ POSTURE CHECK ROLES │
├────────────────────────┼───────────┼──────────┼───────────────┼────────────────┼─────────────────────┤
│ 1NrKqCOGxefnKNGMKitAVD │ chat.dial │ AllOf    │ #chat-service │ #engineering   │                     │
│ 6oDKSb5exVDV5uf4cylxQN │ chat.bind │ AllOf    │ #chat-service │ #engineering   │                     │
╰────────────────────────┴───────────┴──────────┴───────────────┴────────────────┴─────────────────────╯
results: 1-2 of 2
mango@bluesky tmp % ziti edge list identities           
╭────────────┬──────────────────┬────────┬─────────────────╮
│ ID         │ NAME             │ TYPE   │ ATTRIBUTES      │
├────────────┼──────────────────┼────────┼─────────────────┤
│ .7SUfW7jK  │ erv0v0           │ Router │                 │
│ 5VbEucHUd  │ doer             │ Router │                 │
│ DD5dMygUTS │ mellisa          │ User   │ engineering,qa  │
│ H37LMRXUdS │ dan              │ User   │ dev,engineering │
│ fE2O2elFI  │ ziti-edge-router │ Router │                 │
│ menjDyn43  │ Default Admin    │ User   │                 │
│ uA7bMRXbTS │ chat.server      │ Device │ chat.servers    │
╰────────────┴──────────────────┴────────┴─────────────────╯
results: 1-7 of 7

I also have a service edge router policy and I think this is created default by ziti?

mango@bluesky tmp % ziti edge list service-edge-router-policies
╭────────────────────────┬──────────────────┬───────────────┬───────────────────╮
│ ID                     │ NAME             │ SERVICE ROLES │ EDGE ROUTER ROLES │
├────────────────────────┼──────────────────┼───────────────┼───────────────────┤
│ 4zoFIedKB4f5g59kuZctc3 │ allSvcAllRouters │ #all          │ #all              │
╰────────────────────────┴──────────────────┴───────────────┴───────────────────╯

But I’m still getting service is not accessible message:

mango@bluesky tmp % ziti edge policy-advisor services          

Policy General Guidelines
  In order for an identity to dial or bind a service, the following must be true:
    - The identity must have access to the service via a service policy of the correct type (dial or bind)
    - The identity must have acces to at least one on-line edge router via an edge router policy
    - The service must have access to at least one on-line edge router via a service edge router policy
    - There must be at least one on-line edge router that both the identity and service have access to.

Policy Advisor Output Guide:
  STATUS = The status of the identity -> service reachability. Will be OKAY or ERROR. 
  ID = identity name
  ID ROUTERS = number of routers accessible to the identity via edge router policies.
    - See edge router polices for an identity: ziti edge controller list identity edge-router-policies <identity>
  SVC = service name
  SVC ROUTERS = number of routers accessible to the service via service edge router policies.
    - See service edge router policies for a service with: ziti edge controller list service service-edge-router-policies <service>
  ONLINE COMMON ROUTERS = number of routers the identity and service have in common which are online.
  COMMON ROUTERS = number of routers (online or offline) the identity and service have in common.
  DIAL_OK = indicates if the identity has permission to dial the service.
    - See service polices for a service  : ziti edge controller list service service-policies <service>
    - See service polices for an identity: ziti edge controller list identity service-policies <identity>
  BIND_OK = indicates if the identity has permission to bind the service.
  ERROR_LIST = if the status is ERROR, error details will be listed on the following lines

Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST
-------------------------------------------------------------------------------
ERROR: chat 
  - Service is not accessible by any identities. Adjust service policies.

What am I missing?

2

You can add -q to ziti edge policy-advisor services to squish that output btw. I always use -q for policy-advisor now-a-days … :slight_smile:

Can you also show me the services? It’s the one thing you didn’t show. My guess is that it’s missing the chat-service attribute?

3

Here’s the service:

mango@bluesky tmp % ziti edge list services
╭────────────────────────┬──────┬────────────┬─────────────────────┬─────────────╮
│ ID                     │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES  │
│                        │      │  REQUIRED  │                     │             │
├────────────────────────┼──────┼────────────┼─────────────────────┼─────────────┤
│ 2bMm7PXGU1cPn9nmlsndVd │ chat │ true       │ smartrouting        │ dev         │
│                        │      │            │                     │ engineering │
╰────────────────────────┴──────┴────────────┴─────────────────────┴─────────────╯

As you suspected, it does not have the 'chat-service` attribute. I was under the impression that since it has the ‘engineering’ attribute then it can be accessed by identities having the ‘engineering’ attribute (in this case there are two users having the attribute)?

4

Understandable, but that's not the case. :slight_smile: Attributes are only applicable to the object you apply them to. They don't cross over to the other objects that can have attributes added to them. That's one of the reasons when I make examples here on discourse, or on the doc site, I try to go out of my way to use attributes that are specifically different. It's very easy for them to be confused like that.

Attributes defined on services are not applicable to identities nor to edge-routers. Same for attributes defined on edge-routers/identities. The attributes are not shared among entities. When you made the service, you would have needed to add the attribute chat-service to the service create step but you'd also then need to update your service policy so that it's NOT 'engineering' identities which can bind that service, it's the "chat.servers" that can bind it.

I think you just need to update that chat.bind service-policy:

ziti edge update service-policy chat.bind --service-roles '#engineering' --identity-roles '#chat.servers'
# -- or reference the service directly
ziti edge update service-policy chat.bind --service-roles '@chat' --identity-roles '#chat.servers'

That make sense? After that update, the dialers (any identity with the #engineering attribute but not the #qa) would all still be able dial the service because of your dial policy:

╭────────────────────────┬───────────┬──────────┬───────────────┬────────────────┬─────────────────────╮
│ ID                     │ NAME      │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES │ POSTURE CHECK ROLES │
├────────────────────────┼───────────┼──────────┼───────────────┼────────────────┼─────────────────────┤
│ 6oDKSb5exVDV5uf4cylxQN │ chat.bind │ AllOf    │ #chat-service │ #engineering   │

And any identity with the attribute #chat.servers would be able to serve as the "bind" side (the server) because you'll now have a bind policy that looks like this:

╭────────────────────────┬───────────┬──────────┬───────────────┬────────────────┬─────────────────────╮
│ ID                     │ NAME      │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES │ POSTURE CHECK ROLES │
├────────────────────────┼───────────┼──────────┼───────────────┼────────────────┼─────────────────────┤
│ 1NrKqCOGxefnKNGMKitAVD │ chat.dial │ AllOf    │ #engineering  │ #chat.servers  │

Alternative Policy

Hopefully this won't be too confusing (and hopefully I have it right in my head) but I personally think that is a bit confusing like this so if it were me, I'd recommend you rework it a bit?
I would probably remove both attributes on the service and just go with "#engineering.services" on the service.

# remove existing dial policy for chat service
ziti edge delete service-policy chat.dial
# put a new policy in place that gives engineers access (where an engineer is a dev or qa person)
ziti edge create service-policy engineers.access Dial --service-roles "#engineering.services" --identity-roles "#dev,#qa"

# assign the chat service as an "engineering" service
ziti edge update service chat -a "#engineering.services"
5

Thanks. That simplifies it. Now the service advisor seems to be happy.

mango@bluesky tmp % ziti edge list identities      
╭────────────┬──────────────────┬────────┬─────────────────╮
│ ID         │ NAME             │ TYPE   │ ATTRIBUTES      │
├────────────┼──────────────────┼────────┼─────────────────┤
│ .7SUfW7jK  │ erv0v0           │ Router │                 │
│ 5VbEucHUd  │ doer             │ Router │                 │
│ DD5dMygUTS │ mellisa          │ User   │ dev,engineering │
│ H37LMRXUdS │ dan              │ User   │ engineering,qa  │
│ fE2O2elFI  │ ziti-edge-router │ Router │                 │
│ menjDyn43  │ Default Admin    │ User   │                 │
╰────────────┴──────────────────┴────────┴─────────────────╯
results: 1-6 of 6
mango@bluesky tmp % ziti edge list services        
╭────────────────────────┬──────┬────────────┬─────────────────────┬──────────────╮
│ ID                     │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES   │
│                        │      │  REQUIRED  │                     │              │
├────────────────────────┼──────┼────────────┼─────────────────────┼──────────────┤
│ 1uFV0ek6sbtnva14ahui5p │ chat │ true       │ smartrouting        │ chat-service │
╰────────────────────────┴──────┴────────────┴─────────────────────┴──────────────╯
results: 1-1 of 1
mango@bluesky tmp % ziti edge list service-policies
╭────────────────────────┬───────────┬──────────┬───────────────┬─────────────────────┬─────────────────────╮
│ ID                     │ NAME      │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES      │ POSTURE CHECK ROLES │
├────────────────────────┼───────────┼──────────┼───────────────┼─────────────────────┼─────────────────────┤
│ 6nb3icMAiPzuyipzwcu62z │ chat.dial │ AllOf    │ #chat-service │ #engineering        │                     │
│ udLHfqlxCpDCTFG1xBtT2  │ chat.bind │ AllOf    │ #chat-service │ #engineering.server │                     │
╰────────────────────────┴───────────┴──────────┴───────────────┴─────────────────────┴─────────────────────╯
results: 1-2 of 2
mango@bluesky tmp % ziti edge policy-advisor services -q
OKAY : mellisa (2) -> chat (3) Common Routers: (1/2) Dial: Y Bind: N 

OKAY : dan (2) -> chat (3) Common Routers: (1/2) Dial: Y Bind: N

Follow up question, what are the number in the parenthesis mean (2), (3), (1/2)?

6

Glad to hear! Those values in parens are:

  • mellisa (2) : how many routers the “melissa” identity has access to
  • chat (3) : how many routers the “chat” service has access to
  • Common Routers: (1/2) : how many “common routers” are online / how many “common routers” in total
7

Ok. It all look good on paper :slight_smile:

Now I’m trying to run the example.

Here’s what I have for now:

mango@bluesky tmp % ziti edge list edge-routers
╭───────────┬──────────────────┬────────┬───────────────┬──────┬─────────────╮
│ ID        │ NAME             │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES  │
├───────────┼──────────────────┼────────┼───────────────┼──────┼─────────────┤
│ .7SUfW7jK │ erv0v0           │ true   │ true          │    0 │             │
│ 5VbEucHUd │ doer             │ true   │ true          │    0 │ engineering │
│           │                  │        │               │      │ marketing   │
│           │                  │        │               │      │ public      │
│ fE2O2elFI │ ziti-edge-router │ false  │ true          │    0 │ public      │
╰───────────┴──────────────────┴────────┴───────────────┴──────┴─────────────╯
results: 1-3 of 3
mango@bluesky tmp % ziti edge list services
╭────────────────────────┬──────┬────────────┬─────────────────────┬──────────────╮
│ ID                     │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES   │
│                        │      │  REQUIRED  │                     │              │
├────────────────────────┼──────┼────────────┼─────────────────────┼──────────────┤
│ 1uFV0ek6sbtnva14ahui5p │ chat │ true       │ smartrouting        │ chat-service │
╰────────────────────────┴──────┴────────────┴─────────────────────┴──────────────╯
results: 1-1 of 1
mango@bluesky tmp % ziti edge list service-policies
╭────────────────────────┬───────────┬──────────┬───────────────┬─────────────────────┬─────────────────────╮
│ ID                     │ NAME      │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES      │ POSTURE CHECK ROLES │
├────────────────────────┼───────────┼──────────┼───────────────┼─────────────────────┼─────────────────────┤
│ 6nb3icMAiPzuyipzwcu62z │ chat.dial │ AllOf    │ #chat-service │ #engineering        │                     │
│ udLHfqlxCpDCTFG1xBtT2  │ chat.bind │ AllOf    │ #chat-service │ #engineering.server │                     │
╰────────────────────────┴───────────┴──────────┴───────────────┴─────────────────────┴─────────────────────╯
results: 1-2 of 2
mango@bluesky tmp % ziti edge list service-edge-router-policies
╭────────────────────────┬──────────────────┬───────────────┬───────────────────╮
│ ID                     │ NAME             │ SERVICE ROLES │ EDGE ROUTER ROLES │
├────────────────────────┼──────────────────┼───────────────┼───────────────────┤
│ 4zoFIedKB4f5g59kuZctc3 │ allSvcAllRouters │ #all          │ #all              │
╰────────────────────────┴──────────────────┴───────────────┴───────────────────╯
results: 1-1 of 1
mango@bluesky tmp % ziti edge list edge-router-policies 
╭────────────────────────┬──────────────────────────────┬───────────────────┬───────────────────╮
│ ID                     │ NAME                         │ EDGE ROUTER ROLES │ IDENTITY ROLES    │
├────────────────────────┼──────────────────────────────┼───────────────────┼───────────────────┤
│ .7SUfW7jK              │ edge-router-.7SUfW7jK-system │ @erv0v0           │ @erv0v0           │
│ 1mzKqrfNla98xzAIvul3RK │ allEdgeRouters               │ #public           │ #all              │
│ 5VbEucHUd              │ edge-router-5VbEucHUd-system │ @doer             │ @doer             │
│ IoXwvmXsH3lcYp4SyEEZP  │ do-router-engineering-policy │ #engineering      │ #engineering      │
│ fE2O2elFI              │ edge-router-fE2O2elFI-system │ @ziti-edge-router │ @ziti-edge-router │
╰────────────────────────┴──────────────────────────────┴───────────────────┴───────────────────╯
results: 1-5 of 5
mango@bluesky tmp % ziti edge policy-advisor services -q      
OKAY : mellisa (2) -> chat (3) Common Routers: (1/2) Dial: Y Bind: N 

OKAY : chat.server (2) -> chat (3) Common Routers: (1/2) Dial: N Bind: Y 

OKAY : dan (2) -> chat (3) Common Routers: (1/2) Dial: Y Bind: N

Errors occurred upon running the chat-server. I wonder where that ziti-router1 comes from.

mango@bluesky tmp % ./chat-server chat.server.json 
INFO[0000] binding service chat                         
ERRO[0000] dial tcp: lookup ziti-router1: no such host  
ERRO[0000] dial tcp: lookup ziti-router1: no such host  
ERRO[0001] dial tcp: lookup ziti-router1: no such host  
ERRO[0001] dial tcp: lookup ziti-router1: no such host  
ERRO[0001] dial tcp: lookup ziti-router1: no such host  
ERRO[0001] dial tcp: lookup ziti-router1: no such host  
^C

Also below the generated chat.server.json for inspection.

{
  "ztAPI": "https://ziti:1280",
  "id": {
    "key": "pem:-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEA1TdasDjb9bDiRfYk+3x1FUrJyAwBEzQjvZ7toCBsRsYSHD+u\n/Md71GgjugYRhU0qLkfEL1dIJCeCBH+7F8kGaD7nfI8MWQyt6Yrw+Q9T0c3q5JvE\noTh0fN6T1Rs6zXEQYQotzj8y38DT0GLWmh+JdMseWICz1+ZUKOzSpDjN1atoMKAu\n6wnugmzzQEwy4M08TXfADUVkgM5gmGeQUHG6+8gwGzJBDX6+ZAaXEULdL2lOuy0+\nl5/xorUZUdaXj4WHVGXnJ27JTLj37AxP+6vsV11nNeTIwJ66XzO8XDNOnR/0NJzf\nQH8qXZ5vklTcXL/T686fJ0SNOcWjn2W39ZSCUm4G8rInXAD5fmkAaC8WVpLpQjJH\nHM6h6rg6+PzTnxspmzo394iOHkkm+gB6zmHNTRf7EuZqc19tmK1fgnbOioik3wgk\nxrlE5lwHvlfK+3pL3lo23wUKuQJFs5Z9EK3FitA5Qtgsrw4jBeqWUMHFJgZZjQ20\n7j58hmcrkEUkmL4dxjlhaLoNvdbryECCnf4XUresVhcyC1f3egcV07hdVzsDXBKd\nxWYMlhb24gLT9HWD+W/Am6DG8jNHL2hmLy0nQiVh35dUFytlyK2RgG6HqwnZkUHJ\nd+kIMwAq97Rz3pXEwAXlt6Kn3rlJNTbvl1BqHcEsU9zlOuAJVSbQA5cvoIsCAwEA\nAQKCAgEAhfRO/6PZXZSRtE6ekXlxvbzM5OfVzRDW24z70bxNCnHqcuD3uUxC2gHL\nYFXrsAn41Da2ZN+7LSu9HcJ58smTQu8yVCkzIsc6hB2Mo40jpg5u4s2STY/Ab6sO\nybZfzS6Zkb3pZUiDV9w3txZBqXbizwPFvuitFJlaipOvCwm9F96miNY6Y+RLepmk\ngeLdnCqVFj6D5FKSf/Io8dcu7btmNEVjI9MA18+nIgSZ6HhPqjfJBQO57VzJXOXW\nUHo3oi3MBhQ3k6igw5j5+c0Kex1aUNEXxN5F2e5fPOyuDGcXntOyg1ODV2wNW9/s\nTM0P3R2PsPiROQRyjbdDwyMO3jU9YhKrgNP3nhkTBaqBKI4OTdxHtVN00He4uZ6B\n9F4drfxWa7fvtKwgMjry0wYMUCF4a6xTNq/tJj7zrDjKHGnDIuMGo16Qp6V1vRAV\n0sxj72/gfBbC2kFyedpWiW/wiR2sQAv4BlFA63OjNq3COkO65zmSDq/ggSAEVxlI\nae5qCt6XnFLvrqV7Et3dMscFh7HkgigiuVezcTd8KT+k1fHUj5lqXaf+TTdoE4jS\nJ7u67Eb6xGPKYz0Dw9+RKdW3/Mlm3cNOlo9d0Ps2fQA8wer/VhmQyV/Z2tz67A8I\n6KcgVRva7im3qFq/16t/87ODc0ajhMBexxG4cT+tV1abUHPFyqECggEBAO468YmS\n3pLNGEpfX7zPJP8XkeWbD+vT5/kD4SICEr25XaqiOVE4TTtaUh8cuR35A+2Ia/yg\ndumCCxmZf8Y4Z+2koZ3cyDRO2sqZzZclx1JcNhxNN1NniCRYaTJtWJcKKEPFQ+eU\nES0hBjHbEluOBQDbEIKLGbJ9JD8mgnCTddg+6qEmntoRFM1VbCjodhTOgkm0FstV\nD/fETPR7yecm+I6ibLhEd23jQl3lbydLAYhPMOnAEDS3Zn25Raz0DZPoLP5fZ2d1\noMQT7zTMnUPEaB2qvQjNaJWHD288Px46e3dhi0l8Bz5vkvhirqfHkHvDPHu+nrEF\nzoBzE4dV12hf+iMCggEBAOUew0XMsiaNmVR+Ek/wjABXoPwXmfVDafmTUYDNEjDR\nqyk5LEE6ZSkTSXSqInW6Q71QAHA5o6YkyMCvznakW1hznBNZB2W0CWr8vSVTxI2B\niGNS6UltZrr7Z98Ro9SxhpWBX8nQ590pR3pmwo8ejSp+Ji7GsSQeYIRqQVTChTFi\nsDSWcyVTkQtgqUmZ/WMVlN/LZbfLXkQNBVTeEq3kzK+slUJGXvUbWB6NaPjwkevo\nDPZfZ7Mx/2isrlZGh+fJycUn/J7P38JcIcbmX7rzmhyGWnRtyUZDMY5KTpcjY13B\nlninzTNvoRMJRilX9XVYSCv6Gko6zWc358roo4o7YnkCggEBALHp81j7Bp477Vgd\nwjIPwWGBCMSg+VL1/thJvWjYg4aNWRaF8Khnk8YvvgTePqHTxssuhvc0H5pkNEX6\nDSLMHVGtEcYDjMED4wJLuu6WmDU6CG86e4ceWt5J6MZwQykJvOhf+kaIngtGDopN\nQXh+p93rvHjByX8zVk6TQ/cvKWNGGZQgc6IH/7EZip1Cfm0rjMHebOeNr08qmw47\nJJ4szJQ5WViESW0XvAjDwC9oJMzX13+6oF++WByssQxpd3puequ+NEtf3aCSAqM7\n7Hcfx2HgkSxxuxlwtGYuaDT7GBogDxXiOsa2LNyzVhyXPaAwPotr4LfzzjS/vGXm\nBek9RGECggEAaCL6SBBIbINxTFjcw96mE0XA0rN7c2FHmnrd0Xfjq7KwY9Urix4a\nenfcrBzj+rRFM5dYC6n2+n2/jOybH4uGRQaOyrBtT0lr+meTJJMVQ+e68MHvbENA\nLP41cMrYtsRVUkByJA1CRWAMr9Ji3Z/aM5UQj7QZMTxpS+XrebXLye17/vrerPl1\ndEFj0CMgateVSb5tpgLV/oIYiUFCJi1W5wW+9Vd8s1TRUVmee38EI7/dnGEyhdzU\npGPP/UCjZrNtdKG/DQOYRQORCpEMs7Eiu5JJLJ/1mmzR6kVVwRYBhMyHMqG5/4Xe\nJQPTEtl6o/ITI4HSTyi40RA01yGzqxFgqQKCAQBvCQszo61wcUUuVML0qf3C02T7\ngd2bLjeOUNZSIPGdBY3noCZrzv/tNyuOdJ9m4rnFvQkVt/4jt7OSSuquJqQhHcSL\nGlGEOgd7BC5ltXKZcr99Yjo6MtCkXJOhRpMm1xtHVarnkUyUPlCOECEpt11rL6dM\nriNVJ2SWIRLRfH6pPD+UE2heYZu4PLDER1gdLjTb8eXMk/BIDx+v0s0UtVrj1xXl\nR16ba4pPTlOIKNmoJfdZ+MHV+gsKKZ3fL7Z9id6e26bdqsPpE5R72jfXQzUJfI3k\ncXiroQgPKSvy1BspkiFfH+wICytB3HTneLe63zbXiv00slglWm/XWwQYYE70\n-----END RSA PRIVATE KEY-----\n",
    "cert": "pem:-----BEGIN CERTIFICATE-----\nMIIFeTCCA2GgAwIBAgIDAm2CMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNVBAYTAlVT\nMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5ldEZvdW5kcnkxEDAOBgNV\nBAsTB0FEVi1ERVYxIjAgBgNVBAMTGXppdGktc2lnbmluZy1pbnRlcm1lZGlhdGUw\nHhcNMjMwMzI5MTc1ODE5WhcNMjQwMzI5MTc1OTE5WjBIMQswCQYDVQQGEwJVUzET\nMBEGA1UEChMKTmV0Rm91bmRyeTEkMCIGA1UEAxMbQUNIV1dYSFE0RDlIMi1MLmxv\nY2FsZG9tYWluMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1TdasDjb\n9bDiRfYk+3x1FUrJyAwBEzQjvZ7toCBsRsYSHD+u/Md71GgjugYRhU0qLkfEL1dI\nJCeCBH+7F8kGaD7nfI8MWQyt6Yrw+Q9T0c3q5JvEoTh0fN6T1Rs6zXEQYQotzj8y\n38DT0GLWmh+JdMseWICz1+ZUKOzSpDjN1atoMKAu6wnugmzzQEwy4M08TXfADUVk\ngM5gmGeQUHG6+8gwGzJBDX6+ZAaXEULdL2lOuy0+l5/xorUZUdaXj4WHVGXnJ27J\nTLj37AxP+6vsV11nNeTIwJ66XzO8XDNOnR/0NJzfQH8qXZ5vklTcXL/T686fJ0SN\nOcWjn2W39ZSCUm4G8rInXAD5fmkAaC8WVpLpQjJHHM6h6rg6+PzTnxspmzo394iO\nHkkm+gB6zmHNTRf7EuZqc19tmK1fgnbOioik3wgkxrlE5lwHvlfK+3pL3lo23wUK\nuQJFs5Z9EK3FitA5Qtgsrw4jBeqWUMHFJgZZjQ207j58hmcrkEUkmL4dxjlhaLoN\nvdbryECCnf4XUresVhcyC1f3egcV07hdVzsDXBKdxWYMlhb24gLT9HWD+W/Am6DG\n8jNHL2hmLy0nQiVh35dUFytlyK2RgG6HqwnZkUHJd+kIMwAq97Rz3pXEwAXlt6Kn\n3rlJNTbvl1BqHcEsU9zlOuAJVSbQA5cvoIsCAwEAAaNIMEYwDgYDVR0PAQH/BAQD\nAgSwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFOYxHZVmrNj3L8x4\nUWt5D0/CAPAQMA0GCSqGSIb3DQEBCwUAA4ICAQAnz5lrqUcs4PhkP8vL6PGAoR/L\nJS9gdaC4uRVQGYVwW3DtGhRcYp8qnFcFflRwE64iWEr4cm/YWx5zWFGCK6/8Qjdh\nrqKEFS5RawcADAWLvaXNkLCK7yxDv9tLGlVqpq/ZRPOZGBHqS40CWEQVMvCr0lIl\nGy4Kr3lrk+yfpzunPUgEb/sB7+eB77O1OgOW5APG3obl0k61eLyDbPZs2IU36Vxz\neiv2L1aGXZT6ctwedlB9Adpa9+d9RBIKCGOHlIbp9g382rKQmtkiEYeqoBvCoASF\nacn72jQ4ppCFrcVLmxtKQ+Ayd9dunkCyWMM+sC0lHU7hrSREmbS7jLhzgZy50xCu\naNuecORi6C/jiH37O5QX49ZGtx6wYTRr6URNpdE3WKnaFTh8r3QiDlk1jvcKcn2k\ncDMsJpwEQJLMgMQrY8fVuA68Twjc+llCvjlmrbA5P8djO/zjaDux4fgkFXyWojWI\nvgH/6jt5xrOQVofLcM5ge51a7orKcQvxNr+A0XHVfaIOuBRnLi3Qe8io2TXBFSTa\nN0d5gJ4XdRuzrm0gczN7cDvSNojEcrClisiLZ+WyiE+Pg6Uhney12jrirXayKaaP\nRN49QXmQX3qGiWO7zacCpapLmXulNYOZR9QldqCLqIucovvfVzIPXdA9zxyaaenY\nvwnaMVNgx1LJuNNCOg==\n-----END CERTIFICATE-----\n",
    "ca": "pem:-----BEGIN CERTIFICATE-----\nMIIF4DCCA8igAwIBAgIRANvTySzcQWYxY5KMgdmma8YwDQYJKoZIhvcNAQELBQAw\ngYIxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5l\ndEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxODA2BgNVBAMML3ppdGktc2lnbmlu\nZy1pbnRlcm1lZGlhdGVfc3B1cmlvdXNfaW50ZXJtZWRpYXRlMB4XDTIzMDIyMDE3\nNTMwMVoXDTMzMDIxNzE3NTQwMFowbDELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNo\nYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEi\nMCAGA1UEAxMZeml0aS1zaWduaW5nLWludGVybWVkaWF0ZTCCAiIwDQYJKoZIhvcN\nAQEBBQADggIPADCCAgoCggIBAM59G9Swrd+r3AFbtZAilxD7sTzEqTDhMwsHO4yO\nVBpUko3hJzqhaC6TkITZY6S+x1DdAnM37Y3dpxt8CcvSLlyOKNt/zOBqC970MgIc\nRJK2v6x5viw9ONYzbOOgAPKyKPAlLQ0hKD9GQorlqqgy3kWHP5xvrZHJe1RxE54c\nW6bQwIa6ZAHsgETNL8tOoEbQVgqEI48PS8D8/VmCzAHnkT5LHuXG0NpJxOh9ubBz\nXxFnI5KBFHnz4xKqvGN8cGijpBbKKlUZs4vN9NZwEDqR3cSo/Rsc15UIhj9HOu6V\njNokiv4NuCAYH26LHF2f5A4sFSBYh9WewZDq6awKBc/WDNeTqWPnoQ2NIxU4+5do\n2ajWZmtPC30lvpyvWxkdE3vs6GbMbMr/uB0osDQz98XDK2Av8UOtk6zNYQ7GjY/i\noL5kYe1QshSUt6VCm8T5EyJq8xmTai4UZxWvfqgfSn07mXFZ96HTtWhvXBP0Dtp2\n+HUkc9TpiCXIBOr8P0Q7qNKuCHaMCN8ZFrNB7M9s7IZhQjuPTnNtEbhDAN6Ck/c7\nBt7uMycXoc69wKA52jQ3WzpPbzyslrUMsmm2RBf+hAewr12ssB+cgEHq5DoXsn3Q\n5oi6wXsoSf+czBvozglOCbxFqgV3adRS0HqiLpqZX77GYMJcV7Y6kYZH+e2ukIdX\nH3Y5AgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEB\nMB0GA1UdDgQWBBTmMR2VZqzY9y/MeFFreQ9PwgDwEDAfBgNVHSMEGDAWgBStMI0i\nTxkSsDx9Mqbe7x4FE0mBhzANBgkqhkiG9w0BAQsFAAOCAgEAuuuDG27NwPk1fWYU\ndoq80OP5em40ujLXt3q/1wK2DHdmgbN7xV0Wt1Y8oPhNAeq9gH/4AZ9q+UTTgrky\nKM7nh4dXzt52tbr/K3FbtjOMC2IuGivLjwPLhpHeWHvBeyeM7LAWtoLbXA6gaC6j\n2d8jtqSj2sp6ai7rI/Jjl+LYw0ZKmj/kt90US3MKf8i9vTtJhmPZentb6T5h5DyJ\nx61BgURV/ZYeiNjlKlVO4/5YtoV67enUU75d3MB5ZsTCOU9myfLdFo6MRLOX0FRB\nYW9KEfSDt8RVMSm5aBX/qekd0WblvtckJ8unqh3OWavdGx0TLTt2wWjDGaxSxD+b\nlFAA3xgEVfLdvc43CdKiGfwDg4g3xcbQ3KA0y1APkikCZytNIDhU4RHMFmN9z9Xe\nnVyDvVZlrMGaP+JQ+hOf6c1y3yFQYFLPJbt+iwVmj7+9Er2wmA/B53T79pwHhjpD\n7GtXB8Pkd/I+iQa40uq2/+kj07GidPUXOqcZanlB4ewghJ+s/tS/5YGCokNTaGxm\ntMHgzXLnktRImZGw/P7yrTyQvSMVLu9eELqz/m5FOh++0rFwwGcYMMHiiERpZjCw\ntkQ+ZcscX8QM9XNEabEBxZZ48NAWw+qUiG0g4/A1J8eQXLUWW4bEk/nlSdMM7CVQ\nLgl7MSggJL3vnMzw7xhGnEzeCzs=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIF6DCCA9CgAwIBAgIQJbAWTBCEuQAcCgeXogzT1TANBgkqhkiG9w0BAQsFADBk\nMQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG\nb3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMRowGAYDVQQDExF6aXRpLWludGVybWVk\naWF0ZTAeFw0yMzAyMjAxNzUzMDRaFw0yNDAyMjAxNzU0MDJaMGoxCzAJBgNVBAYT\nAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5ldEZvdW5kcnkxEDAO\nBgNVBAsTB0FEVi1ERVYxIDAeBgNVBAMTF3ppdGkgc2VydmVyIGNlcnRpZmljYXRl\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0vH9Eh2dYnPWnG1d8DCP\n67fWjES4XYy0iTy25RzNP/nCyWd1Xl62lxOXjVA5stmkEUiH1BX/uurVTiZwQrBl\nZIETT9zLm+yrwtJpFTTaSCr7BP/YKkUa2i7dNt+u/Lsaur93MKM28TGUVNvFNrFS\n10WckFoE09Z62UlFtM4uzKLyCeXXVNZC9q6FED2MrXjVssHjIcT5PQeP6n5HUI4s\nTcdXxvrZniyvfW4PwJNWh3rs/9nQIO/2u27P5dQg7iCHeXvY4SIZUIBYfjZy8sWI\neVLne31+C+z3k8zP+io6h76nSa2n4adDLyHayyAKdg4mdNQwomIDDYKuhHxKveAA\nKv0uZAYYstP47mdiGWhTnQKZ6Y8DqVQ9DaVYOaXBeS1dI4lvAzz5aMzUHTMceFKY\nWbxDUwZr9ndqD7Gn3Zae/XqLH7pdUXJ5LXfyL+wp/VAwxbiIojIXL78T8JARVWU3\n+vdN7MeqkcjkQXCVWLDrvmjOVmW7VPrtl9wizCgF05M8lhDfyNDKpDWcOuKewAYE\nJGVivX9pUKoshhV/gC4ImuN20/nW8Nvlo2keHVCCo452/VhpkYDQIFT6qix4hMXJ\nvPQeb1p7RTAmlAEAF7A14qItl9UMM3Kg8BJpJZhvuP4b8/8XnKG7srONBOrJBFQm\nYMOaoZm0TWt//ICiMta52YcCAwEAAaOBjzCBjDAOBgNVHQ8BAf8EBAMCBeAwDAYD\nVR0TAQH/BAIwADAdBgNVHQ4EFgQUdOSiTnb457XpoR7rs2kJOWvJMQQwHwYDVR0j\nBBgwFoAUQ7jlFKKNMNisM6Je2nyendgQmbcwLAYDVR0RBCUwI4IEeml0aYIJbG9j\nYWxob3N0ggR6aXRpggR6aXRphwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQCU+WBp\nj1Cl5iIFSk+dQi9z/7U3G2uReCiwJtg6c/us4reyonylp7xi1EaMYR6K4zKYR4jG\ni7zeYv4r/iz/aIJ4nvtPqX+6psifnS1Vm7GX2vkSqZhhlUwNyWDnjkNTvz5fxO3+\nPH7QSlVcNczk/uT2hDTjBcAHD6APJJ7kMmuWAlAwbrd0r0IZ7+8+aA90CbSJHiQw\nIcr02OZqcdn7u865qEaUC9RQKIl57AU4Ai9UM5ICk+yLWzi9M5Rb6229aFyJPbDz\nz+F/Rfjf/g2vff49t46o8BKqUyt/2ggnLYPPUACq3q9YV0ieguvQERkv7UKpko7D\n6oFJA3fsj/D5JKiFvhM+MOPyEkxV2HKbcu493TfwI9Piz9izEhD2p2VpODPYw+eO\nQwWZ+GoIKzX6buSS6iGI+2hKYpve9UGlSkc/+mj3cI7V4t5dMkFDGdyZioM/avFa\nWqgusmBByzktUJwfVjprE2eeyx1K2hyryxlwek7kPmYvAlIM62YU9kxHWgPnMltH\n0u4GJvMu0tupSLg/5KjRBEFpJyKLsoRJ9OrL7xl4PfAauevMLP+2Vr4xAFb3bNqa\nxF5/qJuoqeCJAouj/PKuT6Qa7HV3X00UukKhqC2LUsrIeXUHgAVkGXZRx9I+hAT7\nhZSO3I5jFRp7FRuZ5iecKpVvtec2MnNBkhvAzA==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFvDCCA6SgAwIBAgIRAOeUdsmmLRjBbZiEe+XyZ4EwDQYJKoZIhvcNAQELBQAw\nZzELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0\nRm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEdMBsGA1UEAxMUeml0aS1yb290LWNh\nIFJvb3QgQ0EwHhcNMjMwMjIwMTc1MjU1WhcNMzMwMjE3MTc1MzQxWjBkMQswCQYD\nVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRGb3VuZHJ5\nMRAwDgYDVQQLEwdBRFYtREVWMRowGAYDVQQDExF6aXRpLWludGVybWVkaWF0ZTCC\nAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANbK8rEPAvn6D3vWjC9wnGe2\nSxaEeq4TYfLdvXh4vAlYTdISNk49LXe/bjGh4sRvEHOYtnCp3YAwnFMrxhp6kBN9\nOB6bO/hImZZQejjIn4xFY4FeN4fSvPkJj+r+uSOI8NADObqqII9zSNAm+3X8+MUs\nr0xxwBtuL1PXguyZwscWv1xE+bCJEbJT5KdnJC+/YRYs7GIUWOQI7yEqZ4fmuvLA\n2hmXoJMItzq1pPUmFIOcEBHq9bYXWDCP+8ww+NxqxZcw8uOSTBGeuHGbYDswVVbV\ndC5pp5eBvsaZGS4+qwXoi7PbWKmmU0Q1EV21mlR6ELcHZ4afIldY4YNVXYM7n33S\nB8C4Gt/pKuMDZOZauvtFf7C1iMSJ2X/Xn55OsgOXPHI0E6VQXAZ65v8mXBFia/Gm\nP6b3Ol3oiaGxq3rsa4csYF3RduOTnqNeyHtdrELs8C6exKDgEvYK6NpzUQx+OJKd\numVuWnl0tw5JAxE5hBingUNFLRYt4PpLiVtPHBJzygI5ylxIfO7mp2sBa/we3p2W\nM/gmDZG37LeY8wBHFZgUKXMvhwFBEHj/nmedTg0MqN5z8zNbFPr3TUEM0YQ1C3V8\nXPQC/3jc7sL5028WIPURTv8cimcwP8A2o8vI7ApArElUJvI27ITu1+yi/kkR98gm\nGPLHV6a+wvAqlklErJpZAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMB\nAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRDuOUUoo0w2Kwzol7afJ6d2BCZtzAfBgNV\nHSMEGDAWgBTtf6MN3kpaPDrmbcFxocKzQMK59TANBgkqhkiG9w0BAQsFAAOCAgEA\np40mrC3hFPeDFkoSv9X9+ezC0LU26LRLQeVCsQfMhlBGLX3JNh5Tb9GEtR/fcRur\nQtAlEQ/tmKnul+fZEnm6iNfsZ8rBT8YCfrE1E2TeoSoQvGscLboS7BVxCU4hImMH\nHgJU38MgeLR612Tjkjubc301nR05Xu8asTmKkTjQjl5FTi+aJH19bE+RaNtHy9y2\nU64xNT9F+R2CKr1RAIfh4RXbw9d8L6GWd71eqPIJ3rP8rE9LvFPW0BlpLyIuXmtq\nxbIfmPEaFCzZ4TkePgAtDiO4P+9VLcm0deAWdqkepD2n2sKBCKk1s0/DvdDgdieH\nVl+JJOt5xTibAb6jaKR8VkA+IbINMoQM38toxXIBbhSS7aYGTkjKfCg33MlrBwOV\nbPNdpOEslaoDPfmRGDWwUM/AMjgCVhtm0SnOBjDOzTS+Z5q1VRK9d/iKhgDaQtH/\n8gvfRczVpJGg2jXSLXWiYNxR3jsPcBc5wHtTa3IMUcLQT+CWU0sByVmbunz7jwCo\nErLqbN0lvllU8DEsbF2xyBoyU2G+JtPSLWQn7qJtNAzvp6puAkb7uQNdLA3BWbYF\nTXpWmhBdVUGA6EpO3oLJMIzSuHYmOgj04M9oEU774YdM9Rs70QiBrs6NRkP/MpGW\nVKtTdWHmBmz+VZKJOCI9MYg66rSjFDsKiGaFXmyBOgc=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFuzCCA6OgAwIBAgIQFivnHjyxEJ8pgBXXgBQ3YDANBgkqhkiG9w0BAQsFADBn\nMQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG\nb3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMR0wGwYDVQQDExR6aXRpLXJvb3QtY2Eg\nUm9vdCBDQTAeFw0yMzAyMjAxNzUyMzlaFw0zMzAyMTcxNzUzMzVaMGcxCzAJBgNV\nBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5ldEZvdW5kcnkx\nEDAOBgNVBAsTB0FEVi1ERVYxHTAbBgNVBAMTFHppdGktcm9vdC1jYSBSb290IENB\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxJo0H5TPK6NqbrUwWkPX\neTYxZR9g4ohOnkmDS83z+iBcLoFkYXSbMTZsMTZ6282BqBjQ4Eh7+OjXB2wCziYa\ncyGmCBQA4pPotn7zV4Ro0xDLACrCV+Kj5Xvw57k2i27mzkuiJRlajvV7orc+7c2g\n/+LatbrzNe+vXIo/Kfl/G9Lk+1qK1k91T2VY2RxlLfp3YBQD4oJv7FOnV2W5f/yN\ndlRSFsspp0WnBhDEO0qwJSPAE9CzThtN8B7+Muli0Xgen7KkIIyoSUR7L0UTdW3r\n/Ln7dOJ6/B/hNn6PVwiURGdXi5sjbFyw2+Azhy6gt+tjrLQraKIAf7yyZz01OZdP\nJPeQAHu9susg3NXQMBpQPsn5Z8zLX2diwEEcchKSyU5cKMailss0VsuB3qSKZep3\n9u3x37uYtXQiYbM/pgA6sNcCfGGKSOT9ucqqMbu6FMRPNpPchxqlLAHJTiTl98ly\n12UUgObmp+AkVVXo1W3hfFDgjWpjKOsC/F2sKXo/e6kQKWtcb7wq0H+ePHU36UmF\n8U4//YvMlo10paSatgjOvf+2pTcBsgGDALTPNBJR0ViBo+kBJm3TnY1H5oKnRQ3g\n9Und12YIhMycdr4OCAKsvifpJPVdqiPshV8NmWt2kHXRo91+Z6QjwF6I1695zqQV\nSekwdE7Qi8EiWz3EmsBD7MsCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1Ud\nEwEB/wQFMAMBAf8wHQYDVR0OBBYEFO1/ow3eSlo8OuZtwXGhwrNAwrn1MB8GA1Ud\nIwQYMBaAFO1/ow3eSlo8OuZtwXGhwrNAwrn1MA0GCSqGSIb3DQEBCwUAA4ICAQAt\nBqCryo3qA0OB8tb77src3tZtxcC9JWAagfBiBgls5EaCas5p4abwHYi1MbBs7Z93\nISHjpKe2NRJT6YQMlCKXStdQUQ3Rp7bPWKeQrKLu+/HuTk2qYil9UcuABpbdyHQP\nNDWEAAZ8KK4nEyMQL8EXszbfSLtsswTDN5/8ODRE7HDu2LM8zoMJbbMaNphh5Hx3\n3lQZi5gqQmFWv60eo77kOhHc7YpYZ4w+vrrlt6ZimBLZDZHR3HqB15qG+z3JfgPC\nGBm+SDRnRJUJYFaKSRLgZhvBPMDQyQ5kCK3ncMNiHP/Hb02UMwhn6ImTKqlmrPX1\nYym08HgT4+CExtV/d+/cXWGqNohaEH4GtajqerOVx+BhQyNuFWUIvF/2IZOu7A41\nTz0h+74XU3fSNfKdE/QxequJI2QJ0YCftJ4gJ2tKecKFVWg1MnDSCYEVkORY9L/z\nj0yLvVF2Khkj4g2GLf1bFFxRnCcAhuWxK7zfzX6SoDBYPU3IC6jaG64ksMaQOXYV\nszYRp262CEex68eCOnakawVrvhX1ti/90PnXkEhlUK4EWmCxYMiwclGWYXAfcx4z\nTKw6uZlDG/6tnlfLz+Em95sqn4cuXkAC4lRSX8Y40qHpCdH0p+NXToZ8zi23iRDC\neubAFBw94zgily5a+F3/uvNERp5Kq8rejXqMOG268Q==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIF4DCCA8igAwIBAgIRANvTySzcQWYxY5KMgdmma8YwDQYJKoZIhvcNAQELBQAw\ngYIxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5l\ndEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxODA2BgNVBAMML3ppdGktc2lnbmlu\nZy1pbnRlcm1lZGlhdGVfc3B1cmlvdXNfaW50ZXJtZWRpYXRlMB4XDTIzMDIyMDE3\nNTMwMVoXDTMzMDIxNzE3NTQwMFowbDELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNo\nYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEi\nMCAGA1UEAxMZeml0aS1zaWduaW5nLWludGVybWVkaWF0ZTCCAiIwDQYJKoZIhvcN\nAQEBBQADggIPADCCAgoCggIBAM59G9Swrd+r3AFbtZAilxD7sTzEqTDhMwsHO4yO\nVBpUko3hJzqhaC6TkITZY6S+x1DdAnM37Y3dpxt8CcvSLlyOKNt/zOBqC970MgIc\nRJK2v6x5viw9ONYzbOOgAPKyKPAlLQ0hKD9GQorlqqgy3kWHP5xvrZHJe1RxE54c\nW6bQwIa6ZAHsgETNL8tOoEbQVgqEI48PS8D8/VmCzAHnkT5LHuXG0NpJxOh9ubBz\nXxFnI5KBFHnz4xKqvGN8cGijpBbKKlUZs4vN9NZwEDqR3cSo/Rsc15UIhj9HOu6V\njNokiv4NuCAYH26LHF2f5A4sFSBYh9WewZDq6awKBc/WDNeTqWPnoQ2NIxU4+5do\n2ajWZmtPC30lvpyvWxkdE3vs6GbMbMr/uB0osDQz98XDK2Av8UOtk6zNYQ7GjY/i\noL5kYe1QshSUt6VCm8T5EyJq8xmTai4UZxWvfqgfSn07mXFZ96HTtWhvXBP0Dtp2\n+HUkc9TpiCXIBOr8P0Q7qNKuCHaMCN8ZFrNB7M9s7IZhQjuPTnNtEbhDAN6Ck/c7\nBt7uMycXoc69wKA52jQ3WzpPbzyslrUMsmm2RBf+hAewr12ssB+cgEHq5DoXsn3Q\n5oi6wXsoSf+czBvozglOCbxFqgV3adRS0HqiLpqZX77GYMJcV7Y6kYZH+e2ukIdX\nH3Y5AgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEB\nMB0GA1UdDgQWBBTmMR2VZqzY9y/MeFFreQ9PwgDwEDAfBgNVHSMEGDAWgBStMI0i\nTxkSsDx9Mqbe7x4FE0mBhzANBgkqhkiG9w0BAQsFAAOCAgEAuuuDG27NwPk1fWYU\ndoq80OP5em40ujLXt3q/1wK2DHdmgbN7xV0Wt1Y8oPhNAeq9gH/4AZ9q+UTTgrky\nKM7nh4dXzt52tbr/K3FbtjOMC2IuGivLjwPLhpHeWHvBeyeM7LAWtoLbXA6gaC6j\n2d8jtqSj2sp6ai7rI/Jjl+LYw0ZKmj/kt90US3MKf8i9vTtJhmPZentb6T5h5DyJ\nx61BgURV/ZYeiNjlKlVO4/5YtoV67enUU75d3MB5ZsTCOU9myfLdFo6MRLOX0FRB\nYW9KEfSDt8RVMSm5aBX/qekd0WblvtckJ8unqh3OWavdGx0TLTt2wWjDGaxSxD+b\nlFAA3xgEVfLdvc43CdKiGfwDg4g3xcbQ3KA0y1APkikCZytNIDhU4RHMFmN9z9Xe\nnVyDvVZlrMGaP+JQ+hOf6c1y3yFQYFLPJbt+iwVmj7+9Er2wmA/B53T79pwHhjpD\n7GtXB8Pkd/I+iQa40uq2/+kj07GidPUXOqcZanlB4ewghJ+s/tS/5YGCokNTaGxm\ntMHgzXLnktRImZGw/P7yrTyQvSMVLu9eELqz/m5FOh++0rFwwGcYMMHiiERpZjCw\ntkQ+ZcscX8QM9XNEabEBxZZ48NAWw+qUiG0g4/A1J8eQXLUWW4bEk/nlSdMM7CVQ\nLgl7MSggJL3vnMzw7xhGnEzeCzs=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFvDCCA6SgAwIBAgIRAOeUdsmmLRjBbZiEe+XyZ4EwDQYJKoZIhvcNAQELBQAw\nZzELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0\nRm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEdMBsGA1UEAxMUeml0aS1yb290LWNh\nIFJvb3QgQ0EwHhcNMjMwMjIwMTc1MjU1WhcNMzMwMjE3MTc1MzQxWjBkMQswCQYD\nVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRGb3VuZHJ5\nMRAwDgYDVQQLEwdBRFYtREVWMRowGAYDVQQDExF6aXRpLWludGVybWVkaWF0ZTCC\nAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANbK8rEPAvn6D3vWjC9wnGe2\nSxaEeq4TYfLdvXh4vAlYTdISNk49LXe/bjGh4sRvEHOYtnCp3YAwnFMrxhp6kBN9\nOB6bO/hImZZQejjIn4xFY4FeN4fSvPkJj+r+uSOI8NADObqqII9zSNAm+3X8+MUs\nr0xxwBtuL1PXguyZwscWv1xE+bCJEbJT5KdnJC+/YRYs7GIUWOQI7yEqZ4fmuvLA\n2hmXoJMItzq1pPUmFIOcEBHq9bYXWDCP+8ww+NxqxZcw8uOSTBGeuHGbYDswVVbV\ndC5pp5eBvsaZGS4+qwXoi7PbWKmmU0Q1EV21mlR6ELcHZ4afIldY4YNVXYM7n33S\nB8C4Gt/pKuMDZOZauvtFf7C1iMSJ2X/Xn55OsgOXPHI0E6VQXAZ65v8mXBFia/Gm\nP6b3Ol3oiaGxq3rsa4csYF3RduOTnqNeyHtdrELs8C6exKDgEvYK6NpzUQx+OJKd\numVuWnl0tw5JAxE5hBingUNFLRYt4PpLiVtPHBJzygI5ylxIfO7mp2sBa/we3p2W\nM/gmDZG37LeY8wBHFZgUKXMvhwFBEHj/nmedTg0MqN5z8zNbFPr3TUEM0YQ1C3V8\nXPQC/3jc7sL5028WIPURTv8cimcwP8A2o8vI7ApArElUJvI27ITu1+yi/kkR98gm\nGPLHV6a+wvAqlklErJpZAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMB\nAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRDuOUUoo0w2Kwzol7afJ6d2BCZtzAfBgNV\nHSMEGDAWgBTtf6MN3kpaPDrmbcFxocKzQMK59TANBgkqhkiG9w0BAQsFAAOCAgEA\np40mrC3hFPeDFkoSv9X9+ezC0LU26LRLQeVCsQfMhlBGLX3JNh5Tb9GEtR/fcRur\nQtAlEQ/tmKnul+fZEnm6iNfsZ8rBT8YCfrE1E2TeoSoQvGscLboS7BVxCU4hImMH\nHgJU38MgeLR612Tjkjubc301nR05Xu8asTmKkTjQjl5FTi+aJH19bE+RaNtHy9y2\nU64xNT9F+R2CKr1RAIfh4RXbw9d8L6GWd71eqPIJ3rP8rE9LvFPW0BlpLyIuXmtq\nxbIfmPEaFCzZ4TkePgAtDiO4P+9VLcm0deAWdqkepD2n2sKBCKk1s0/DvdDgdieH\nVl+JJOt5xTibAb6jaKR8VkA+IbINMoQM38toxXIBbhSS7aYGTkjKfCg33MlrBwOV\nbPNdpOEslaoDPfmRGDWwUM/AMjgCVhtm0SnOBjDOzTS+Z5q1VRK9d/iKhgDaQtH/\n8gvfRczVpJGg2jXSLXWiYNxR3jsPcBc5wHtTa3IMUcLQT+CWU0sByVmbunz7jwCo\nErLqbN0lvllU8DEsbF2xyBoyU2G+JtPSLWQn7qJtNAzvp6puAkb7uQNdLA3BWbYF\nTXpWmhBdVUGA6EpO3oLJMIzSuHYmOgj04M9oEU774YdM9Rs70QiBrs6NRkP/MpGW\nVKtTdWHmBmz+VZKJOCI9MYg66rSjFDsKiGaFXmyBOgc=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFvDCCA6SgAwIBAgIRAOeUdsmmLRjBbZiEe+XyZ4EwDQYJKoZIhvcNAQELBQAw\nZzELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0\nRm91bmRyeTEQMA4GA1UECxMHQURWLURFVjEdMBsGA1UEAxMUeml0aS1yb290LWNh\nIFJvb3QgQ0EwHhcNMjMwMjIwMTc1MjU1WhcNMzMwMjE3MTc1MzQxWjBkMQswCQYD\nVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRGb3VuZHJ5\nMRAwDgYDVQQLEwdBRFYtREVWMRowGAYDVQQDExF6aXRpLWludGVybWVkaWF0ZTCC\nAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANbK8rEPAvn6D3vWjC9wnGe2\nSxaEeq4TYfLdvXh4vAlYTdISNk49LXe/bjGh4sRvEHOYtnCp3YAwnFMrxhp6kBN9\nOB6bO/hImZZQejjIn4xFY4FeN4fSvPkJj+r+uSOI8NADObqqII9zSNAm+3X8+MUs\nr0xxwBtuL1PXguyZwscWv1xE+bCJEbJT5KdnJC+/YRYs7GIUWOQI7yEqZ4fmuvLA\n2hmXoJMItzq1pPUmFIOcEBHq9bYXWDCP+8ww+NxqxZcw8uOSTBGeuHGbYDswVVbV\ndC5pp5eBvsaZGS4+qwXoi7PbWKmmU0Q1EV21mlR6ELcHZ4afIldY4YNVXYM7n33S\nB8C4Gt/pKuMDZOZauvtFf7C1iMSJ2X/Xn55OsgOXPHI0E6VQXAZ65v8mXBFia/Gm\nP6b3Ol3oiaGxq3rsa4csYF3RduOTnqNeyHtdrELs8C6exKDgEvYK6NpzUQx+OJKd\numVuWnl0tw5JAxE5hBingUNFLRYt4PpLiVtPHBJzygI5ylxIfO7mp2sBa/we3p2W\nM/gmDZG37LeY8wBHFZgUKXMvhwFBEHj/nmedTg0MqN5z8zNbFPr3TUEM0YQ1C3V8\nXPQC/3jc7sL5028WIPURTv8cimcwP8A2o8vI7ApArElUJvI27ITu1+yi/kkR98gm\nGPLHV6a+wvAqlklErJpZAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMB\nAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRDuOUUoo0w2Kwzol7afJ6d2BCZtzAfBgNV\nHSMEGDAWgBTtf6MN3kpaPDrmbcFxocKzQMK59TANBgkqhkiG9w0BAQsFAAOCAgEA\np40mrC3hFPeDFkoSv9X9+ezC0LU26LRLQeVCsQfMhlBGLX3JNh5Tb9GEtR/fcRur\nQtAlEQ/tmKnul+fZEnm6iNfsZ8rBT8YCfrE1E2TeoSoQvGscLboS7BVxCU4hImMH\nHgJU38MgeLR612Tjkjubc301nR05Xu8asTmKkTjQjl5FTi+aJH19bE+RaNtHy9y2\nU64xNT9F+R2CKr1RAIfh4RXbw9d8L6GWd71eqPIJ3rP8rE9LvFPW0BlpLyIuXmtq\nxbIfmPEaFCzZ4TkePgAtDiO4P+9VLcm0deAWdqkepD2n2sKBCKk1s0/DvdDgdieH\nVl+JJOt5xTibAb6jaKR8VkA+IbINMoQM38toxXIBbhSS7aYGTkjKfCg33MlrBwOV\nbPNdpOEslaoDPfmRGDWwUM/AMjgCVhtm0SnOBjDOzTS+Z5q1VRK9d/iKhgDaQtH/\n8gvfRczVpJGg2jXSLXWiYNxR3jsPcBc5wHtTa3IMUcLQT+CWU0sByVmbunz7jwCo\nErLqbN0lvllU8DEsbF2xyBoyU2G+JtPSLWQn7qJtNAzvp6puAkb7uQNdLA3BWbYF\nTXpWmhBdVUGA6EpO3oLJMIzSuHYmOgj04M9oEU774YdM9Rs70QiBrs6NRkP/MpGW\nVKtTdWHmBmz+VZKJOCI9MYg66rSjFDsKiGaFXmyBOgc=\n-----END CERTIFICATE-----\n"
  },
  "configTypes": null
}
8

That's a start! :slight_smile:

I expect you are using/running the docker-based quickstart based on ziti-router1 and based on the ztAPI in your identity you provided https://ziti (also it's probably clear and obvious, but in the chance case it's not, your identify file is a secret and should be treated as such. I suspect you know that and it's fine since this is all local, but if not, don't share those :slight_smile: )

Which quickstart you run doesn't actually matter but it's mildly relevant. Every participant on the OpenZiti overlay will need to be able to contact the controller and at least one router. Your golang sample app is trying to contact an edge router, either doer or ziti-edge-router based on the ziti edge list edge-routers output you supplied...

In order to satisfy traffic for OpenZiti clients, like your sdk client, those edge routers will have to "advertise" the address that clients should connect to them at. In the routers config files, you'll find a section:

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:8442
    options:
      advertise: ctrl.clint.demo.openziti.org:8442
      connectTimeoutMs: 1000
      getSessionTimeout: 60

See how in this example, my router is advertising ctrl.clint.demo.openziti.org:8442 - you can hit that right now if you like:

openssl s_client -connect ctrl.clint.demo.openziti.org:8442

One of your routers (or both - egad?) are configured to 'advertise' ziti-router1 as the advertise address. That means these routers need to be updated to 'advertise' a correct address. That make sense? They need to 'advertise' an address that the sdk client app can send underlay traffic to.

I'm pretty sure that's what is happening here

9

It was my bad. Just doing experiment without the quickstart. I was short of public IPs and DNS. So I setup two VMs on digital ocean and ran one controller on one VM and one edge router on another VM. The router is registered as ziti-router1. I set it up a while ago and simply forgot :frowning: .

Thanks of the tips on the advertise address, chat server and client are running fine now (although I have to modify the /etc/hosts just for the experiment).

1 Like
10

Cool! Glad to hear it’s working for you now, and you learned some things along the way. :slight_smile: Happy to hear and help.