Stuck on error conecting to ziti edge management

Hi, im new in ziti

i trying to create self-hosted zrok on a DO droplet on AlmaLinux 9

I follwed the instructions on quickstart guide for ziti Host OpenZiti Anywhere | OpenZiti it installed successfully, then, folling the guide for zrok self-hosted Self-Hosting Guide for Linux | Zrok but when i run "zrok admin bootstrap /etc/ctrl.yml" i got this error

[ 0.007] INFO zrok/controller/store.Open: database connected
[ 0.190] INFO zrok/controller/store.(*Store).migrate: applied 20 migrations
[ 0.190] INFO zrok/controller.Bootstrap: connecting to the ziti edge management api
panic: error connecting to the ziti edge management api: Get "https://127.0.0.1:18080/.well-known/est/cacerts": dial tcp 127.0.0.1:18080: connect: connection refused

goroutine 1 [running]:
main.(*adminBootstrap).run(0xc000761410, 0xc00073fbb0?, {0xc000761f00?, 0x0?, 0x0?})
/home/runner/work/zrok/zrok/cmd/zrok/adminBootstrap.go:40 +0xf7
github.com/spf13/cobra.(*Command).execute(0xc0007aef08, {0xc000761ed0, 0x1, 0x1})
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:987 +0xab1
github.com/spf13/cobra.(*Command).ExecuteC(0x4f4c500)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039
main.main()
/home/runner/work/zrok/zrok/cmd/zrok/main.go:106 +0x1a

i'm not sure if it a zrok problem or if its a ziti problem, i think is a ziti problem because the error "panic: error connecting to the ziti edge management api: Get "https://127.0.0.1:18080/.well-known/est/cacerts": dial tcp 127.0.0.1:18080: connect: connection refused"

im stuk on this, can you help me?

PD: SE linux and firewalld are disabled

Welcome, @luisorozco.

I think your zrok controller config looks like this:

ziti:
  api_endpoint:     "https://127.0.0.1:18080"

But api_endpoint needs to point to your ziti controller, not your zrok controller.

The ziti controller has a management API address that is configured, and the zrok controller needs the same address to connect.

You bootstrapped your ziti network with the expressInstall() quickstart, so the ziti api_endpoint in your zrok controller config must be like https://${EXTERNAL_DNS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT}, substituting those two values from your environment, e.g., https://ziti.example.com:8441.

After generating it with the quickstart, I assume you didn't customize the config. You can reference the generated config in the $ZITI_HOME/$(hostname -s).yaml, e.g., ~/.ziti/quickstart/computer1/computer1.yaml.

The ziti config value you are looking for in this file is the address property under the web section near the bottom.

Here's an example snippet of a ziti controller config that shows the address ziti.example.com:8441 in the same spot.

web:
  - name: client-management
    bindPoints:
      - interface: 0.0.0.0:8441
        address: ziti.example.com:8441
    identity:
      ca:          "/home/kbingham/.ziti/quickstart/mira/pki/mira-edge-controller-root-ca/certs/mira-edge-controller-root-ca.cert"
      key:         "/home/kbingham/.ziti/quickstart/mira/pki/mira-edge-controller-intermediate/keys/ziti.127.0.0.1.sslip.io-server.key"
      server_cert: "/home/kbingham/.ziti/quickstart/mira/pki/mira-edge-controller-intermediate/certs/ziti.127.0.0.1.sslip.io-server.chain.pem"
      cert:        "/home/kbingham/.ziti/quickstart/mira/pki/mira-edge-controller-intermediate/certs/ziti.127.0.0.1.sslip.io-client.cert"
    options:
      idleTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      - binding: edge-oidc
        options: { }
      - binding: edge-client
        options: { }
      - binding: fabric
        options: { }

Hi, thank you for your answer. It works perfect!

I completed the self-host guide for zrok and it is running now.

but now im stuck when im trying to setup nrok on the local machine, i set the apiEndpoint of zrok to my ziti/ngrok DO droplet.

but when i run zrok status i got

Environment:

PROPERTY VALUE
Secret Token <>
Ziti Identity <>

i dont know exactly what to do with that.

Then i ran zrok enable (my environment) and works! but when i run i got

[ 0.973] ERROR main.(*sharePublicCommand).run.func3: error running http web backend: loading new config: http app module: start: listening on zrok/aqrpdtquanot:0: failed to listen: no apiSession, authentication attempt failed: Get "https://controller.domain.example.com:8441/oidc/authorize?client_id=native&code_challenge=Es2KR1aps6gl9CI33Za-vUJBwi-│uxBe2zZgTZzff6Sg&code_challenge_method=S256&method=cert&prompt=Welcome+back!&redirect_uri=http%3A%2F%2F127.0.0.1%3A34797%2Fauth%2Fcallback&response_type=code&scope=openid+offline_access&state=27516d6f-a2ca-4c89-ae4a-054b216c69d0": redirect is not allowed as per DomainCheckRedirectPolicy

im stuck again. Sorry, im new with zrok.

Hey @luisorozco any update on the recent issue you faced related to the DomainCheckRedirectPolicy? I am stuck on the same error

I think you were successful enabling your zrok environment with your self-hosted zrok instance. Congrats on that.

Next, you wish to configure your zrok frontend for OAuth with Google or GitHub login?

After you configure OAuth, then you'll be able to use it with any zrok public shares.

There are two steps to set up OAuth for your zrok frontend:

1. In the identity provider (link to GitHub developer settings) (link to Google developer doc), create a client id/secret for your zrok frontend
2. In the zrok frontend config.yml file, set the client id/secret for each OAuth provider you wish to use (link to self-hosted zrok OAuth doc)

After your zrok frontend is configured for your chosen OAuth provider (Google or GitHub or both), then it will work.

@rohit not yet

@qrkourier thank you, but for this envoriment i'm will no enable a OAuth. Im no sure if this "DomainCheckRedirectPolicy error" is related to OAuth.

I may have lept to the wrong conclusion when I saw the OIDC part of the URL path that you shared.

I thought you were attempting OAuth with a zrok public share. I see this is an error message emitted by the zrok share public command (or zrok share reserved for a public share), correct?

Let's ensure there are no OAuth configurations in effect because you're not using OAuth. In the zrok frontend's config.yml file, ensure there is not an oauth section. Here's an example config file: zrok/etc/frontend.yml at main · openziti/zrok · GitHub.

I'll ask around to see why else zrok might emit this particular ERROR.

EDIT: follow-on question - were you attempting to log in with OIDC (one type of SSO) through the zrok share URL at the time of the error, e.g., in your web browser?

Sure @qrkourier, will try that and let you know. Off topic, I've read that we can enable multiple environments in one zrok instance, any idea how?

@qrkourier regarding front.yml, I've made sure I am not using any OAuth config:

image1074×244 7.1 KB

Let's make sure we're using the same words. Your zrok instance is the stack of zrok controllers and frontends that handle requests from all of your zrok environments.

You enable a zrok enable environment on all the devices that will share or access a share.

thank for your response. this is my frontend.yml

v: 3
host_match: cloud.betics.com.mx
address: 0.0.0.0:8080

tls:
cert_path: "/etc/letsencrypt/live/ziti.mydomain.com/cert.pem"
key_path: "/etc/letsencrypt/live/ziti.mydomain.com/privkey.pem"

thouse pem file were generated by certbot --manual

and got the same error

error creating proxy backend (error listening: failed to listen: no apiSession, authentication attempt failed:
.... redirect is not allowed as per DomainCheckRedirectPolicy

I think the error:

│[ 0.756] ERROR main.(*shareReservedCommand).run.func2: error running http web backend: loading new config: http app module: start: listening on zrok/dioeujv52ghg:0: failed to listen: no apiSession, authentication attempt failed: Get "https://api.{myhost}:8441/oidc/authorize?client_id=native&code_challenge=ZfpwdI5mJqOUwvUOQ_ES3yDFWr7sxzfOuljPXRukXT0&code_challenge_method=S256&method=cert&prompt=Welcome+back%21&redirect_uri=http%3A%2F%2F127.0.0.1%3A33349%2Fauth%2Fcallback&response_type=code&scope=openid+offline_access&state=66cbb15b-2a55-4fdf-a259-e331eac79c96": redirect is not allowed as per DomainCheckRedirectPolicy

is a SSL cert problem, i dont know and not sure but if you access to URL containted in the error on the browser got a "Invalid Cert", that it is issued by NetFoundry, my theory is that when the request is sent to the enpoint and got the response as "invalid cert" redirect to http version of the URL. is that posible?

4 posts were split to a new topic: Problem with zrok share public

Hi @luisorozco. I think this is an issue a bug with versions 0.4.22+. Can you download and try version 4.20? Release v0.4.20 · openziti/zrok · GitHub

Recent versions of ziti added an endpoint that's causing this issue. The fix for the ziti environment is merged. You have a few options, ranked in the order that I think makes most sense:

1. open the controller yaml file (probably at $HOME/.ziti/quickstart/$(hostname)/$(hostname).yaml), go to the bottom of the file, remove or comment out these lines and use zrok 0.4.26 without a problem:

         - binding: edge-oidc
           options: { }
   

2. use zrok 0.4.20 for now

3. wait for a new ziti release and use that release

4. use an older version of ziti (this is harder to do and i'd recommend you just do one of the above)