Tls certification error

vs_01 · October 24, 2024, 7:10am

I am trying to setup an openziti network using openziti_manual_pki/db at main · nenkoru/openziti_manual_pki · GitHub.

This is the network topology I want. But getting certification error when try to add router2 in the network. It is getting connected to the controller but is not able to communicate to the public-edge-router.

I tried with openssl s_client -connect :1280, i get reply as self-signed certificate in the certificate chain. 1280 is the port number where controller is hosted.

When i try openssl s_client -connect :1290, i get reply as unable to get local issuer certificate. 1290 is the port number where public router is hosted.

How could this error be solved?

TheLumberjack · October 24, 2024, 11:38am

I recently forked that project and made changes. I'd recommend you use mine (unless my PR gets merged).

On my fork I've made this exact topology for you. Check out:

Then in four separate windows run:

window 1 - bootstrap the pki and then run the controller

./bootstrap.sh; ./run-controller.sh

window 2 - run the public edge router

./run-edge-router.sh

window 3 - run private router 1

./run-private-router-1.sh

window 4 - run private router 2

./run-private-router-2.sh

window 5 - run ziti cli commands:

$ ziti fabric list links
╭────────────────────────┬──────────────────┬──────────────────┬─────────────┬─────────────┬─────────────┬───────────┬────────┬───────────╮
│ ID                     │ DIALER           │ ACCEPTOR         │ STATIC COST │ SRC LATENCY │ DST LATENCY │ STATE     │ STATUS │ FULL COST │
├────────────────────────┼──────────────────┼──────────────────┼─────────────┼─────────────┼─────────────┼───────────┼────────┼───────────┤
│ 1bBpxB339SS5oTWepHgOTL │ private-router-2 │ test-edge-router │           1 │   65000.0ms │   65000.0ms │ Connected │     up │    130001 │
│ 712wV4evrcqj17D6YO4ZnT │ private-router-1 │ test-edge-router │           1 │   65000.0ms │   65000.0ms │ Connected │     up │    130001 │
╰────────────────────────┴──────────────────┴──────────────────┴─────────────┴─────────────┴─────────────┴───────────┴────────┴───────────╯
results: 1-2 of 2
cd@192.168.253.239:sg4: ~/git/github/dovholuknf/openziti_manual_pki
$ ziti edge list ers
╭────────────┬──────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME             │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼──────────────────┼────────┼───────────────┼──────┼────────────┤
│ CHRBtrh7yN │ test-edge-router │ true   │ true          │    0 │ public     │
│ IkqR-Nl7U  │ private-router-2 │ true   │ true          │    0 │ public     │
│ yxuB-NlPUN │ private-router-1 │ true   │ true          │    0 │ public     │
╰────────────┴──────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-3 of 3

Topic		Replies	Views
Problem with edge router after certificates update Support	4	232	June 18, 2023
TLS Handshake Failed: Remote Error "tls: bad certificate" in Ziti Controller	7	19	November 7, 2024
Let's Encrypt on Controller General Questions	3	553	February 9, 2023
Zrok Controller certificate error when using public CAs on openziti controller zrok	6	953	February 13, 2023
Ziti fabric list links not showing other connections Ziti Overlay	9	28	October 3, 2024