Is it possible to do it with ZAC ?
Yes. The Ziti administration console (ZAC) comes with the controller. Were you able to log in?
The address is like https://${ZITI_CTRL_ADVERTISED_ADDRESS}:${ZITI_CTRL_ADVERTISED_PORT}/zac/
Here's the Docker console guide, but you will not need this guide unless you want to change the version that comes with the controller.
Yes I'm able to access ZAC, I'm trying to configure my PC to access the remote gitea server using "git.ziti".
I've made a new identity and enrolled on my Windows Ziti Edge Client:
I've tried the "Add a Simple Service":
But my services count is still at 0 and I cant access http://git.ziti on my PC:
Let's simulate the policies to check for permissions issues.
ziti edge policy-advisor services --quiet "git"
Identity "brand" needs Dial permission, and identity "openziti_edge_router1" needs Bind permission.
You already created the default router policies?
Did you disable encryption on purpose? I've never turned it off before.
I've not created anythin else than the "Simple Service"
[root@8bb1fcb59e77 ~]# ziti edge policy-advisor services --quiet "git"
ERROR: openziti_edge_router_1 (1) -> git (0) Common Routers: (0/0) Dial: N Bind: Y
- Service has no edge routers assigned. Adjust service edge router policies.
ERROR: braand (0) -> git (0) Common Routers: (0/0) Dial: N Bind: Y
- Identity has no edge routers assigned. Adjust edge router policies.
- Service has no edge routers assigned. Adjust service edge router policies.
Does it means I need to create something that connects my identity "braand" with the edge router ?
Make sure you have default router policies (#all/#all): edge router policy and service edge router policy. You can create them in the console using the magic role attribute #all to allow all identities and services to use all routers.
Correct. You need a default router policy for identities and services.
Here's the command-line equivalent.
ziti edge create edge-router-policy "default" \
--edge-router-roles '#all' --identity-roles '#all'
ziti edge create service-edge-router-policy "default" \
--edge-router-roles '#all' --service-roles '#all'
Alright.
Now I have this :
[root@8bb1fcb59e77 ~]# ziti edge policy-advisor services --quiet "git"
OKAY : openziti_edge_router_1 (1) -> git (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : braand (1) -> git (1) Common Routers: (1/1) Dial: N Bind: Y
But still 0 services on the Ziti Edge Desktop
Identity "braand" needs Dial permission, but has Bind permission instead.
Something must've changed since you ran the simple service wizard which answered "who has access to this service?" (Dial permission) with @brand.
You can fix this by changing your service policies. There are two types: Bind, Dial.
Your router-managed identity already has the necessary Bind permission, but you need to revoke Bind permission for identity "braand."
Then create a service policy of type "Dial" and grant identity "braand" permission to access service "git."
Here's a nice writeup about policies: Policies | OpenZiti
They form a triangle! Since you have a default policy for two of the three sides of the triangle, you will mostly use service policies moving forward to grant some identities Bind permission for hosting the server side of the service, and other identities Dial permission for accessing the service as a client.
1 Like
I've recreated the services, intercept.v1, etc and now I'm getting this:
[root@8bb1fcb59e77 ~]# ziti edge policy-advisor services --quiet "git"
OKAY : openziti_edge_router_1 (1) -> git (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : braand (1) -> git (1) Common Routers: (1/1) Dial: Y Bind: N
It should be alright now doesn't it ? Still seeing 0 service on Ziti Edge Desktop
Is there a terminator for service "git" in the page at URL path /zac/terminators?
Is the enrolled identity in your Windows Desktop Edge app "braand" or "brand?"
It's "braand" I removed "brand" lol
Things look OK policy-wise. Is your desktop edge app complaining about anything in the logs?
I'm not sure how to open the logs on Windows, but I'll look for clues.
Main Menu -> Advanced Settings -> Service Logs
will open the latest log. Or you can find them at C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service
Looks like it's complaining about not being able to talk with the controller:
[2025-02-11T22:03:22.362Z] ERROR tlsuv:engine.c:923 openssl: handshake was terminated: error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:22.362Z] ERROR tlsuv:tls_link.c:113 TLS(0000025a6eefdff0) handshake error error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:22.362Z] ERROR tlsuv:http.c:189 handshake failed status[3]: error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:22.362Z] WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] request failed: -4079(software caused connection abort)
[2025-02-11T22:03:22.362Z] WARN ziti-sdk:ziti_ctrl.c:342 internal_version_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] CONTROLLER_UNAVAILABLE(software caused connection abort)
[2025-02-11T22:03:22.362Z] WARN ziti-sdk:ziti.c:1908 version_pre_auth_cb() ztx[0] failed to get controller version: CONTROLLER_UNAVAILABLE/software caused connection abort
[2025-02-11T22:03:22.362Z] WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] request failed: -4079(software caused connection abort)
[2025-02-11T22:03:22.362Z] INFO ziti-sdk:ziti_ctrl.c:187 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] attempting to switch endpoint
[2025-02-11T22:03:22.362Z] WARN ziti-sdk:ziti_ctrl.c:605 ctrl_next_ep() ctrl[ctrl.84.235.226.183.sslip.io:1280] no controllers are online
[2025-02-11T22:03:22.362Z] WARN ziti-sdk:ziti.c:641 ext_jwt_singers_cb() ztx[0] failed to get external auth providers: software caused connection abort
[2025-02-11T22:03:27.439Z] ERROR tlsuv:win32_keychain.c:248 failed to sign: TPM 2.0 : Structure de taille incorrecte.
[2025-02-11T22:03:27.439Z] ERROR tlsuv:engine.c:923 openssl: handshake was terminated: error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:27.439Z] ERROR tlsuv:tls_link.c:113 TLS(0000025a6eefdff0) handshake error error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:27.439Z] ERROR tlsuv:http.c:189 handshake failed status[3]: error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:27.439Z] WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] request failed: -4079(software caused connection abort)
[2025-02-11T22:03:27.439Z] WARN ziti-sdk:ziti_ctrl.c:342 internal_version_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] CONTROLLER_UNAVAILABLE(software caused connection abort)
[2025-02-11T22:03:27.439Z] WARN ziti-sdk:ziti.c:1908 version_pre_auth_cb() ztx[0] failed to get controller version: CONTROLLER_UNAVAILABLE/software caused connection abort
[2025-02-11T22:03:27.439Z] WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] request failed: -4079(software caused connection abort)
[2025-02-11T22:03:27.439Z] INFO ziti-sdk:ziti_ctrl.c:187 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] attempting to switch endpoint
[2025-02-11T22:03:27.439Z] WARN ziti-sdk:ziti_ctrl.c:605 ctrl_next_ep() ctrl[ctrl.84.235.226.183.sslip.io:1280] no controllers are online
[2025-02-11T22:03:27.439Z] WARN ziti-sdk:ziti.c:641 ext_jwt_singers_cb() ztx[0] failed to get external auth providers: software caused connection abort
[2025-02-11T22:03:32.520Z] ERROR tlsuv:win32_keychain.c:248 failed to sign: TPM 2.0 : Structure de taille incorrecte.
[2025-02-11T22:03:32.520Z] ERROR tlsuv:engine.c:923 openssl: handshake was terminated: error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:32.520Z] ERROR tlsuv:tls_link.c:113 TLS(0000025a6eefdff0) handshake error error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:32.520Z] ERROR tlsuv:http.c:189 handshake failed status[3]: error:00000005:lib(0)::reason(5)
[2025-02-11T22:03:32.520Z] WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] request failed: -4079(software caused connection abort)
[2025-02-11T22:03:32.520Z] WARN ziti-sdk:ziti_ctrl.c:342 internal_version_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] CONTROLLER_UNAVAILABLE(software caused connection abort)
[2025-02-11T22:03:32.520Z] WARN ziti-sdk:ziti.c:1908 version_pre_auth_cb() ztx[0] failed to get controller version: CONTROLLER_UNAVAILABLE/software caused connection abort
[2025-02-11T22:03:32.520Z] WARN ziti-sdk:ziti_ctrl.c:184 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] request failed: -4079(software caused connection abort)
[2025-02-11T22:03:32.520Z] INFO ziti-sdk:ziti_ctrl.c:187 ctrl_resp_cb() ctrl[ctrl.84.235.226.183.sslip.io:1280] attempting to switch endpoint
[2025-02-11T22:03:32.520Z] WARN ziti-sdk:ziti_ctrl.c:605 ctrl_next_ep() ctrl[ctrl.84.235.226.183.sslip.io:1280] no controllers are online
[2025-02-11T22:03:32.520Z] WARN ziti-sdk:ziti.c:641 ext_jwt_singers_cb() ztx[0] failed to get external auth providers: software caused connection abort
Maybe it's the wild card dns that's making this bug ? I can't access ctrl.84.235.226.183.sslip.io:1280 but 84.235.226.183:1280 is working fine
your controller is advertising an address that the windows client cannot reach.
1 Like
I can reach ctrl.84.235.226.183.sslip.io:1280 just fine from here.