av-dev
October 18, 2022, 9:19pm
1
I am trying to enroll an endpoint with identity obtained from third party CA ( already registered in ziti ) but getting following error
$ sudo /opt/openziti/bin/ziti-edge-tunnel enroll --jwt /opt/openziti/etc/identities/ca/ca.jwt --identity /opt/openziti/etc/identities/my-endpoint.json --cert my-enpoint.cert --key my-enpoint.key
(16141)[ 0.000] ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
(16141)[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1994 enroll_cb() enrollment failed: enroll failed(-9)
sh-4.4$ /opt/openziti/bin/ziti-edge-tunnel version
v0.20.3-local
am I missing something? TIA
I am mobile and can’t try, but I think you need to pass a different flag… I’ll see if it’s in the doc
av-dev
October 18, 2022, 9:25pm
3
hmm, I was going by what cli shows.
sh-4.4$ /opt/openziti/bin/ziti-edge-tunnel enroll -h
ziti-edge-tunnel enroll: enroll Ziti identity
usage: ziti-edge-tunnel enroll -j|--jwt <enrollment token> -i|--identity <identity> [-k|--key <private_key> [-c|--cert <certificate>]] [-n|--name <name>]
-j|--jwt enrollment token file
-i|--identity output identity file
-k|--key private key for enrollment
-c|--cert certificate for enrollment
-n|--name identity name
Yeah. I just checked the doc. Me or someone will have to reproduce to see if the doc/cli help is full and complete. I’ll try later tonight or tomorrow am
av-dev
October 18, 2022, 9:30pm
5
sure. As always, really appreciate quick response.
Out of curiosity, could the hyphens in the names be causing the issue somehow? Still not able to try myself yet, but that thought occurred to me now, in case you could try
av-dev
October 18, 2022, 11:06pm
7
actually my cert and key names dont contain hyphens, i just added those here for brevity. my actual values are something like /var/xx/certs/x.y.z.cert.pem
It’s a bug in the ziti-edge-tunnel. I’ll file it. You can use the ziti
CLI if you want for now. That’ll let you get your enrollment file to continue your testing while we fix this issue…
Using ziti-edge-tunnel
– error:
~/ziti-edge-tunnel enroll \
> --jwt "${jwt_file}" \
> --identity "$ZITI_PKI/$ca_name/keys/${identity_name}.json" \
> --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
> --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
> --name "${identity_name}"
[ 0.000] ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /home/runner/work/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1989 enroll_cb() enrollment failed: enroll failed(-9)
Using ziti
CLI – success:
ziti edge enroll \
> --jwt "${jwt_file}" \
> --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
> --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
> --idname "${identity_name}" \
> --ca "${identity_full_ca_path}" \
> --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
INFO enrolled successfully. identity file written to: /home/ubuntu/.ziti/quickstart/ip-172-31-42-64/pki/new_ca_000150/keys/new_ca_000150-ca_id_004825.json
av-dev
October 19, 2022, 12:59am
9
yeah, thats what i ended up doing. And it did work with ziti edge enroll ...
bug filed. glad you got past it
opened 01:10AM - 19 Oct 22 UTC
bug
See discourse thread https://openziti.discourse.group/t/using-ziti-edge-tunnel-e… nroll/820
User was using `ziti-edge-tunnel` to enroll an identity from a 3rd party CA receiving error shown. Using the `ziti` CLI `enroll` command succeeds (see discourse for example)
```
[ 0.000] ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /home/runner/work/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1989 enroll_cb() enrollment failed: enroll failed(-9)
```
Steps to reproduce:
### -- MAKE SURE YOU SET THIS --
```
edge_controller_uri=https://localhost:8441
```
### login somehow. If you used quickstart you can use `zitiLogin`
```
zitiLogin
```
### Assign your token to `zt_session`
```
# use your env file to get a zt_session header - used for curls below
zt_session=$(jq -r .edgeIdentities.default.token $ZITI_HOME/ziti-cli.json)
```
### generate a new CA
```
ca_name="new_ca_$(date +"%H%M%S")"
ca_dir="${ZITI_PKI}/${ca_name}"
caCert="$ZITI_PKI/${ca_name}/certs/${ca_name}.cert"
caKey="$ZITI_PKI/${ca_name}/keys/${ca_name}.key"
### create the PKI using the CLI
ziti pki create ca \
--pki-root="${ZITI_PKI}" \
--ca-file "${ca_name}" \
--ca-name "${ca_name}"
```
### make the ca to test with
```
ziti edge create ca $ca_name $caCert --autoca --ottca --auth
ca_id=$(ziti edge list cas 'name = "'"$ca_name"'"' -j | jq -r .data[].id)
ca_verification_token=$(ziti edge list cas 'name = "'"$ca_name"'"' -j | jq -r .data[].verificationToken)
cat <<HERE
CERT INFO
----------------------------------
New CA name : ${ca_name}
New CA dir : ${ca_dir}
New CA cert at : ${caCert}
New CA key at : ${caKey}
New CA id : ${ca_id}
HERE
```
### create a 3rd party CA
```
ziti pki create client \
--pki-root="${ZITI_PKI}" \
--ca-name=${ca_name} \
--client-name=${ca_verification_token} \
--client-file=${ca_verification_token}
path_to_verificationToken_cert="$ZITI_PKI/${ca_name}/certs/${ca_verification_token}.cert"
echo "New client lives at : ${path_to_verificationToken_cert}"
```
### demonstrate it's not verified yet
```
ziti edge list cas 'name = "'"$ca_name"'"'
```
### verify the CA
```
# submit the client cert to the proper endpoint using --data-binary
result=$(curl -vsk \
-X POST \
-H "Content-Type: text/plain" \
-H "zt-session: ${zt_session}" \
"${edge_controller_uri}/edge/management/v1/cas/${ca_id}/verify" \
--data-binary @${path_to_verificationToken_cert} \
)
```
### verify the CA is now 'V'erified
```
ziti edge list cas 'name = "'"$ca_name"'"'
```
### Make a new identity to enroll
```
# set your identity name. this is VITAL you need to use the format of "[caName]-[commonName]
# you can see when looking at the json that this is output:
# "identityNameFormat": "[caName]-[commonName]",
# this was my missing step. presenting a cert that doesn't match this pattern makes it fail to auth
identity_name="${ca_name}-ca_id_$(date +"%H%M%S")"
echo "New Identity named: ${identity_name}"
ziti pki create client \
--pki-root="${ZITI_PKI}" \
--ca-name=${ca_name} \
--client-name=${identity_name} \
--client-file=${identity_name}
# create a new identity - I couldn't find a 'ziti cli' nor 'ZAC' way of doing this. Needed to use the API
identity_id=$(curl -sk \
-H "Content-Type: application/json" \
-H "zt-session: ${zt_session}" \
"${edge_controller_uri}/edge/management/v1/identities" \
-d '{ "name": "'"${identity_name}"'", "type": "User", "isAdmin":false, "enrollment": { "ottca": "'"${ca_id}"'" } }' \
| jq -j '.data.id'
)
jwt_file="${ZITI_PKI}/${identity_name}.jwt"
echo "Third Party OTT identity created. ID: ${identity_id}"
```
### get the jwt from the controller - used to enroll...
```
curl -sk -H "Content-Type: application/json" \
-H "zt-session: ${zt_session}" \
"${edge_controller_uri}/edge/management/v1/identities/${identity_id}" \
| jq -j .data.enrollment.ottca.jwt > ${jwt_file}
echo "using jwt at ${jwt_file} to enroll"
# you need the CA bundle in order to enroll - this command grabs the ca bundle
curl -sk ${edge_controller_uri}/.well-known/est/cacerts > ${ZITI_PKI}/fetched-ca-certs.p7
openssl base64 -d -in ${ZITI_PKI}/fetched-ca-certs.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${ZITI_PKI}/fetched-ca-certs.pem
identity_full_ca_path="${ZITI_PKI}/fetched-ca-certs.pem"
```
### actually enroll the identity -- failure
```
~/ziti-edge-tunnel enroll \
--jwt "${jwt_file}" \
--identity "$ZITI_PKI/$ca_name/keys/${identity_name}.json" \
--key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
--cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
--name "${identity_name}"
```
### actually enroll the identity
```
ziti edge enroll \
--jwt "${jwt_file}" \
--cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
--key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
--idname "${identity_name}" \
--ca "${identity_full_ca_path}" \
--out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
```
1 Like
Good news @av-dev . @scareything was able to find/fix the problem (and I confirmed that it’s fixed) in version 0.20.5. If you get the latest ziti-edge-tunnel
enroll should work now! Just don’t run the command twice in a row or you’ll hit this known issue: ziti-edge-tunnel: enroll should not overwrite json file on failure · Issue #268 · openziti/ziti-tunnel-sdk-c · GitHub
We’ll look to fix that one too - but for now you should be able to 3rd party enroll
av-dev
October 19, 2022, 4:37pm
12
awesome. I will get the 0.20.5 version and give it a shot. Thank you both @TheLumberjack @scareything
@TheLumberjack Sounds like this fix resolves this now? Unable to import identity through ziti-edge-tunnel · Issue #548 · openziti/desktop-edge-win · GitHub . I noticed that you filed the bug above under another github repository.
@gooseleggs – no not really… The way ziti-edge-tunnel
works and ZDEW work are very closely related, but not close enough where I think the bug you filed is covered. For that report, the ZDEW UI needs to be enhanced to understand the same sort of things that one can do with ‘raw’ ziti-edge-tunnel
.
Now if you want to run ziti-edge-tunnel
for windows without the whole ZDEW UI/packaging – I’d say yah that’d work. But you would need to make the service and maintain everything all on your own. So… imo - that issue is not done yet until it’s easy to do via the UI. I commented on that bug that I want to keep it open until we can do it with the UI. Thanks for the pointer!