Upgrade 1.1.15 -> 1.6.3

1

Hello everyone,

I am currently trying to upgrade from version 1.1.15 to 1.6.3. After adding trustDomain to my controller-config, all connections are working again.

However, I have moved the ZAC to a separate port, the corresponding config in the controller looks like this:

web:
  - name: public
    [...]
  - name: private
    bindPoints:
      - interface: 0.0.0.0:8080
        address: mgmt.openziti.example.com:443
    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-client
        options: { }
      - binding: edge-management
        options: { }
      - binding: fabric
        options: { }
      - binding: health-checks
        options: { }
      - binding: zac
        options:
          location: /ziti-console
          indexFile: index.html

In version 1.1.15 I was able to reach ZAC, after the upgrade I now see the following error message in the log:

Jun 26 09:40:07 server01 openziti[49778]: panic: could not validate server at web[1]: identity is not valid for provided host: [mgmt.openziti.example.com]. is valid for: [127.0.0.1, ::1, localhost, openziti.example.com]

Here is the question, how do I solve this? Thanks for your help

2

Hi @ZzenlD. This is telling you that your configuration is invalid for the certificates you have generated. OpenZiti never should have allowed you to operate in an invalid configuration but it used to allow for this. With version 1.4.3+ we started to check the certificates configured with the configuration. This is telling you that your certs are valid for the following addresses:

but your controller is trying to advertise mgmt.openziti.example.com, which is not in the list. To fix this, you must create a certificate that matches the desired advertisement.

Depending on how you installed your controller, that can be done in different ways. The easiest way is usually to find the key for the server certs and regenerate them using the ziti pki commmand.

3

I see, the router has the following option in the configuration for exactly this purpose:

edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - localhost
        - openziti-router
        - router.openziti.example.com
      ip:
        - "127.0.0.1"
        - "::1"

Is there something similar for the controller?