Trouble shooting starting a remote public edge router

Building/Development
31

Ok. These instructions will assume you have used the quickstart to setup the controller at first. If you haven't done that (I expect you did) then I think you should do that first and then run these steps... Assuming that you did use the quickstart...

setup the shell...

Make sure your shell is clean by logging out, then logging back in. If you need to source the environment file, do that:

source $HOME/.ziti/quickstart/$(hostname)/$(hostname).env

Then source the ziti-cli-scripts helper:

source /dev/stdin <<< "$(wget -qO- https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/image/ziti-cli-functions.sh)"

setup variables

Now set these five variables in your shell. Replace ___FILL___ with the correct value (obviously) :slight_smile:

EDGE_CONTROLLER_EXTERNAL_DNS_NAME=___FILL___
EDGE_CONTROLLER_PRIVATE_DNS_NAME=___FILL___
EDGE_CONTROLLER_EXTERNAL_IP_ADDRESS=___FILL___
EDGE_CONTROLLER_PRIVATE_IP_ADDRESS=___FILL___
file_name="${ZITI_CONTROLLER_HOSTNAME}-$(date +'%Y-%m-%d_%H%M%S')"

Generate a new server certificate for your edge controller

This will make a new server cert using your existing PKI created when running the quickstart.

pki_allow_list_dns="${EDGE_CONTROLLER_EXTERNAL_DNS_NAME},${EDGE_CONTROLLER_PRIVATE_DNS_NAME},localhost,$(hostname)"
pki_allow_list_ip="127.0.0.1,${EDGE_CONTROLLER_EXTERNAL_IP_ADDRESS},${EDGE_CONTROLLER_PRIVATE_IP_ADDRESS}"

"${ZITI_BIN_DIR}/ziti" pki create server \
  --pki-root="${ZITI_PKI_OS_SPECIFIC}" \
  --ca-name ${ZITI_CONTROLLER_INTERMEDIATE_NAME} \
  --server-file "${file_name}-server" \
  --dns "${pki_allow_list_dns}" --ip "${pki_allow_list_ip}" \
  --server-name "${file_name} server certificate"

Find the new .pem file

cat <<HERE

    NEW SERVER CERTIFICATE GENERATED
    USE THIS FILE: $(find $ZITI_HOME -name "*${file_name}*chain.pem")

HERE

Use it, update controller config file

vi $ZITI_HOME/$(hostname).yaml

find the web.name.identity section. change the server_cert that is there and replace it with the "chain.pem" file. it should look something like mine:

web:
  - name: client-management
    bindPoints:
      - interface: 0.0.0.0:8441
        address: ec2-18-188-201-183.us-east-2.compute.amazonaws.com:8441
    identity:
      ca:       
      key:     
      server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-42-64/pki/ip-172-31-42-64-intermediate/certs/ip-172-31-42-64-2022-08-02_123132-server.chain.pem"

VERIFY it's correct using openssl

Use openssl to 'connect' and print the certificates (replace localhost if you're not ON the controller):

openssl s_client -connect localhost:8441 -showcerts | openssl x509 -text

restart the controller

sudo systemctl restart ziti-controller

Wrapping up

That should give you what you need to make a new server cert from your existing PKI.

3 Likes