Hi everyone,
I'm currently trying to update the controller from 1.6.3 to 1.6.14 and I think I'm getting the same error as last time. The log says:
panic: could not validate server at web[1]: identity is not valid for provided host: [mgmt.openziti.root-dev.example.com]. is valid for: [127.0.0.1, ::1, localhost, openziti.root-dev.example.com]
The controller configuration looks like this:
v: 3
db: "/ziti-controller/bbolt.db"
trustDomain: root-dev.example.com
identity:
cert: "pki/intermediate/certs/client.chain.pem"
server_cert: "pki/intermediate/certs/server.chain.pem"
key: "pki/intermediate/keys/server.key"
ca: "pki/root/certs/root.cert"
ctrl:
options:
advertiseAddress: tls:openziti.root-dev.example.com:443
listener: tls:0.0.0.0:1280
healthChecks:
boltCheck:
interval: 30s
timeout: 20s
initialDelay: 30s
edge:
api:
sessionTimeout: 30m
address: openziti.root-dev.example.com:443
enrollment:
signingCert:
cert: pki/intermediate/certs/intermediate.cert
key: pki/intermediate/keys/intermediate.key
edgeIdentity:
duration: 180m
edgeRouter:
duration: 180m
web:
- name: public
bindPoints:
- interface: 0.0.0.0:1280
address: openziti.root-dev.example.com:443
identity:
ca: "pki/root/certs/root.cert"
key: "pki/intermediate/keys/server.key"
server_cert: "pki/intermediate/certs/server.chain.pem"
cert: "pki/intermediate/certs/client.chain.pem"
options:
idleTimeout: 5000ms
readTimeout: 5000ms
writeTimeout: 100000ms
minTLSVersion: TLS1.2
maxTLSVersion: TLS1.3
apis:
- binding: edge-client
options: { }
- name: private
bindPoints:
- interface: 0.0.0.0:8080
address: mgmt.openziti.root-dev.example:443
options:
idleTimeout: 5000ms
readTimeout: 5000ms
writeTimeout: 100000ms
minTLSVersion: TLS1.2
maxTLSVersion: TLS1.3
apis:
- binding: edge-client
options: { }
- binding: edge-management
options: { }
- binding: fabric
options: { }
- binding: health-checks
options: { }
- binding: zac
options:
location: /ziti-console
indexFile: index.html
Now, the strange thing I don’t understand is that I’ve attached the output below: I connect to the controller and view the current certificate, where the mgmt.openziti domain is missing, so I create a new server certificate with that domain. After that, the domain is included in the certificate.
# Show acutal server certificate
[user@openziti-controller ziti-controller]$ openssl x509 -in pki/intermediate/certs/server.cert -noout -text | grep -A1 "Subject Alternative Name"
X509v3 Subject Alternative Name:
DNS:localhost, DNS:openziti.root-dev.example.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
# Generate new server certificate with mgmt.openziti domain
[user@openziti-controller ziti-controller]$ ziti pki create server \
--allow-overwrite \
--pki-root ./pki \
--pki-country DE \
--pki-province NRW \
--pki-locality Frankfurt \
--pki-organization "Example" \
--pki-organizational-unit "IT" \
--ca-name intermediate \
--server-name openziti.root-dev.example.com \
--spiffe-id 'controller/openziti' \
--dns "localhost,openziti.root-dev.example.com,mgmt.openziti.root-dev.example.com" \
--ip "127.0.0.1,::1"
Using CA name: intermediate
Success
# Show new generated server certificate
[user@openziti-controller ziti-controller]$ openssl x509 -in pki/intermediate/certs/server.cert -noout -text | grep -A1 "Subject Alternative Name"
X509v3 Subject Alternative Name:
DNS:localhost, DNS:openziti.root-dev.example.com, DNS:mgmt.openziti.root-dev.example.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
But when I restart the controller container and view the certificate again, it’s probably the “old” certificate again:
# Show server certificate after controller-container restart
[user@openziti-controller ziti-controller]$ openssl x509 -in pki/intermediate/certs/server.cert -noout -text | grep -A1 "Subject Alternative Name"
X509v3 Subject Alternative Name:
DNS:localhost, DNS:openziti.root-dev.example.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Is the certificate being overwritten somewhere? Where am I going wrong?
Thanks for the help.