I followed the example setup for BrowZer and Zac. However when I get to the final step of logging in to Browzer (brozac.domain.com:8446) I get greeted with the below certificate alert, then the page just loops reloading constantly. I can't see any errors in the brozac service for it.
I tried on Firefox as well however it looks like Firefox version 123 is not supported.
I checked my Zac login directly and that works, I can login to Auth0 and see a user created for my email address so I assume at least part of the puzzle is working.
The one thing I do see is in the Chrome console I have the following warning _shouldRouteOverZiti: no associated Ziti config, bypassing intercept of
Any help would be greatly appreciated. Also Shoutout to the very helpful ZitiTV, very helpful when I needed a bit more detail.
Hi @zHines, welcome to the community, to BrowZer and to OpenZiti!
The popup you see is merely a nuisance, but it's a common complaint. The first time you go to a browzer-enabled site you get that popup. We keep trying to discover a good way of suppressing the need for it and I'm sure we will some day but we havent' cracked that nut yet. Until that day, you can just ignore that first prompt. That is the server "demanding" the client supply a certificate before it connects. It's a "mutual TLS" thing...
As you discovered, BrowZer currently only works in chrome variants. That is true.
As to the BrowZer infinite redirect, that has been something I've hit myself but it's usually only "the first times" I do browzer, while I'm getting used to things (aka: as I mess them up). The best thing to do is to go to dev tools -> Application tab -> storage and "Clear site data". -- all of it. That OFTEN solves the issue.
As for your log message, it makes me think you have something else wrong though. "no associated Ziti Config" sounds to me like you don't have something setup just right.
The things to check here are:
you have an external jwt signer
you have an auth policy
the external jwt signer refers to the correct claims property
the IdP is configured to return that particular claim (often "email") and you can verify the jwt returned has that claim
you have made an identity that uses the --external-Id field and use the proper value in that field
the issuer used matches the jwt issuer exactly (we've seen people put in https://host/ but the issuer doesn't have a trailing slash: https://host and that causes issues)
Hopefully that all makes enough sense and is easy enough to follow? Glad you found the ZitiTV helpful! There was a follow-up that used KeyCloak specifically that might also be worth watching (well skimming since you're close)
Clearing storage did not help, I tried a couple of times. To Answer the rest of your checks.
you have an external jwt signer
Confirmed at <zac_url?/jwt-signers
issuer matches Auth0 domain
audience matches Auth0 clientID
claim property is email
it is enabled and use External is true.
you have an auth policy
Confirmed at <zac_url>/auth-policies
browzer-auth0-auth-policy extists, external JWT is true and an allow external JWT signers is set
the external jwt signer refers to the correct claims property
Confirmed at <zac_url?/jwt-signers claim property is email
the IdP is configured to return that particular claim (often "email") and you can verify the jwt returned has that claim
Confirmed using jwt.io I got the JWT from Chrome session storage and confirmed the email property is set and is my email.
you have made an identity that uses the --external-Id field and use the proper value in that field
Confirmed at <zac_url>/identities
user exists with identity name of my email, external id is my email, auth policy is browzer-auth0-auth-policy
This user is marked "online" and "Unregistered" not sure if that matters.
the issuer used matches the jwt issuer exactly (we've seen people put in https://host/ but the issuer doesn't have a trailing slash: https://host and that causes issues)
Confirmed at <zac_url?/jwt-signers
issuer is https://<auth0_host>/ matching iss value in the jwt.
One other thing that could be worth mentioning is every time navigate to the brozac url it does redirect me to the auth0 logout confirmation prompt, not sure if that is related.
Also thank-you in advance for pointing out the KeyCloak ZitiTV, I plan on using Keycloak in production once I validate my use cases.
Another thing I have noticed is that the ctrl.<my_url>:8443 url to Zac returns a netfoundry certificate still, not my wildcard certificate, I am not sure if that's related. I have checked and I have the ZITI_PKI_ALT_SERVER_KEY and ZITI_PKI_ALT_SERVER_CERT set in my quickstart/<ip_XX>/<ip_XX>.env file and have sourced that file.
Oh that's quite the hint. That makes me think the alt server certs are indeed wrong. At the beginning of the browzer instructions there's this important section:
Do you know if you correctly followed these instructions? It's really easy to overlook this. Is the indentation correct in the yaml? That's also super easy to mess up and yaml is sensitive to that.
I did set those variables correctly and have confirmed the below certs in ~/.ziti/quickstart/ip-172-31-4-61/ip-172-31-4-61.yaml
# Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
identity:
ca: "/home/ubuntu/.ziti/quickstart/ip-172-31-4-61/pki/ip-172-31-4-61-edge-controller-root-ca/certs/ip-172-31-4-61-edge-controller-root-ca.cert"
key: "/home/ubuntu/.ziti/quickstart/ip-172-31-4-61/pki/ip-172-31-4-61-edge-controller-intermediate/keys/ec2-13-236-44-189.ap-southeast-2.compute.amazonaws.com-server.key"
server_cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-4-61/pki/ip-172-31-4-61-edge-controller-intermediate/certs/ec2-13-236-44-189.ap-southeast-2.compute.amazonaws.com-server.chain.pem"
cert: "/home/ubuntu/.ziti/quickstart/ip-172-31-4-61/pki/ip-172-31-4-61-edge-controller-intermediate/certs/ec2-13-236-44-189.ap-southeast-2.compute.amazonaws.com-client.cert"
alt_server_certs:
- server_cert: "/etc/letsencrypt/live/remote-demo.hines.au/fullchain.pem"
server_key: "/etc/letsencrypt/live/remote-demo.hines.au/privkey.pem"
I also have confirmed the cert locations.
ubuntu@ip-172-31-4-61:~$ ls -la /etc/letsencrypt/live/remote-demo.hines.au/
total 12
drwxr-xr-x 2 root zitiweb 4096 Mar 10 01:24 .
drwxr-x--- 3 root zitiweb 4096 Mar 10 01:24 ..
-rw-r--r-- 1 root zitiweb 692 Mar 10 01:24 README
lrwxrwxrwx 1 root zitiweb 44 Mar 10 01:24 cert.pem -> ../../archive/remote-demo.hines.au/cert1.pem
lrwxrwxrwx 1 root zitiweb 45 Mar 10 01:24 chain.pem -> ../../archive/remote-demo.hines.au/chain1.pem
lrwxrwxrwx 1 root zitiweb 49 Mar 10 01:24 fullchain.pem -> ../../archive/remote-demo.hines.au/fullchain1.pem
lrwxrwxrwx 1 root zitiweb 47 Mar 10 01:24 privkey.pem -> ../../archive/remote-demo.hines.au/privkey1.pem
and the final path of the symlink
ubuntu@ip-172-31-4-61:~$ ls -la /etc/letsencrypt/archive/remote-demo.hines.au/
total 24
drwxr-xr-x 2 root zitiweb 4096 Mar 10 01:24 .
drwxr-x--- 3 root zitiweb 4096 Mar 10 01:24 ..
-rw-r--r-- 1 root zitiweb 1509 Mar 10 01:24 cert1.pem
-rw-r--r-- 1 root zitiweb 1826 Mar 10 01:24 chain1.pem
-rw-r--r-- 1 root zitiweb 3335 Mar 10 01:24 fullchain1.pem
-rw-r----- 1 root zitiweb 241 Mar 10 01:24 privkey1.pem
It's probably expected that this ZAC uses the non-LE certs. I think that's how I did it in that walkthrough. You could certainly update that ZAC to use the LE certs if you want.
I hit my broazc too and I'm getting a 404 from my keycloak IdP so something change between the last time I got this all working and now. I'll work with curt to get my env working and one of us will follow up later tomorrow.
No worries, thank-you for the help. I will check in for an update tomorrow. Once we have this issue resolved I will possibly post a few more questions I have in relation to the best-practice for setting up BrowZer to route to other servers over the Linux Tunnel system.
I have a bunch of scripts that install "all the things" automatically. I dunno if you want to look through those scripts to see if you did all the same steps or not... I'll see if i can work up a set of test commands to use that can probe your config to see if it's all setup correctly tomorrow... late here now
@curt No luck on the above, I tried that and cleared all application data, still no luck. I have also tried on both a windows machine, Linux machine and Android phone on three different networks just to eliminate most client side issues.
@zHines can you please set ZITI_BROWZER_RUNTIME_LOGLEVEL=trace in your bootstrapper, then restart it, then in Chrome, open a new tab and open dev tools, then hit your browZer URL, then once you see the loop happen, go to the dev tools Console tab, then save the log (via right-click Save-As...), and send the log to me (a DM is fine if you like).
@curt I have collected the logs you requested, however I can't for the life of me find a button to send a DM. Can you please point me in the right direction so I can send you the logs.
late here now
