I've moved this across to the 'private' port as well - I still have to provide the full URL to log-in, but once I do I can now create identities as I'd expect.
I think I got a little lost on the separation of duties between the different APIs and assumed this one had to be public to allow clients to enrol.
Will I have to reconfigure my routers to point at this new port?
New config with both fixes combined looks like this:
web:
- name: client
bindPoints:
- interface: 0.0.0.0:1280
address: <serverdnsname>:1280
identity:
ca: "pki/root/certs/root.cert"
key: "pki/intermediate/keys/server.key"
server_cert: "pki/intermediate/certs/server.chain.pem"
cert: "pki/intermediate/certs/client.chain.pem"
options:
idleTimeout: 5000ms #http timeouts, new
readTimeout: 5000ms
writeTimeout: 100000ms
minTLSVersion: TLS1.2
maxTLSVersion: TLS1.3
apis:
- binding: edge-client
options: { }
- name: management
bindPoints:
- interface: 0.0.0.0:1281
address: <serverdnsname>:1281
identity:
ca: "pki/root/certs/root.cert"
key: "pki/intermediate/keys/server.key"
server_cert: "pki/intermediate/certs/server.chain.pem"
cert: "pki/intermediate/certs/client.chain.pem"
options:
idleTimeout: 5000ms
readTimeout: 5000ms
writeTimeout: 100000ms
minTLSVersion: TLS1.2
maxTLSVersion: TLS1.3
apis:
- binding: edge-management
options: { }
- binding: fabric
options: { }
- binding: zac
options:
location: /opt/openziti/share/console
indexFile: index.html