Using ziti-edge-tunnel enroll

I am trying to enroll an endpoint with identity obtained from third party CA ( already registered in ziti ) but getting following error

$ sudo /opt/openziti/bin/ziti-edge-tunnel enroll --jwt /opt/openziti/etc/identities/ca/ca.jwt --identity /opt/openziti/etc/identities/my-endpoint.json --cert my-enpoint.cert --key my-enpoint.key

(16141)[        0.000]   ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
(16141)[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1994 enroll_cb() enrollment failed: enroll failed(-9)
sh-4.4$ /opt/openziti/bin/ziti-edge-tunnel version

am I missing something? TIA

I am mobile and can’t try, but I think you need to pass a different flag… I’ll see if it’s in the doc

hmm, I was going by what cli shows.

sh-4.4$ /opt/openziti/bin/ziti-edge-tunnel enroll -h
ziti-edge-tunnel enroll: enroll Ziti identity
usage: ziti-edge-tunnel enroll -j|--jwt <enrollment token> -i|--identity <identity> [-k|--key <private_key> [-c|--cert <certificate>]] [-n|--name <name>]

	-j|--jwt	enrollment token file
	-i|--identity	output identity file
	-k|--key	private key for enrollment
	-c|--cert	certificate for enrollment
	-n|--name	identity name

Yeah. I just checked the doc. Me or someone will have to reproduce to see if the doc/cli help is full and complete. I’ll try later tonight or tomorrow am

sure. As always, really appreciate quick response. :slight_smile:

Out of curiosity, could the hyphens in the names be causing the issue somehow? Still not able to try myself yet, but that thought occurred to me now, in case you could try

actually my cert and key names dont contain hyphens, i just added those here for brevity. my actual values are something like /var/xx/certs/x.y.z.cert.pem

It’s a bug in the ziti-edge-tunnel. I’ll file it. You can use the ziti CLI if you want for now. That’ll let you get your enrollment file to continue your testing while we fix this issue…

Using ziti-edge-tunnel – error:

~/ziti-edge-tunnel enroll \
>     --jwt "${jwt_file}" \
>     --identity "$ZITI_PKI/$ca_name/keys/${identity_name}.json" \
>     --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
>     --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
>     --name "${identity_name}"
[        0.000]   ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /home/runner/work/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1989 enroll_cb() enrollment failed: enroll failed(-9)

Using ziti CLI – success:

ziti edge enroll \
>     --jwt "${jwt_file}" \
>     --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
>     --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
>     --idname "${identity_name}" \
>     --ca "${identity_full_ca_path}" \
>     --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
INFO    enrolled successfully. identity file written to: /home/ubuntu/.ziti/quickstart/ip-172-31-42-64/pki/new_ca_000150/keys/new_ca_000150-ca_id_004825.json

yeah, thats what i ended up doing. And it did work with ziti edge enroll ...

bug filed. glad you got past it

1 Like

Good news @av-dev. @scareything was able to find/fix the problem (and I confirmed that it’s fixed) in version 0.20.5. If you get the latest ziti-edge-tunnel enroll should work now! Just don’t run the command twice in a row or you’ll hit this known issue: ziti-edge-tunnel: enroll should not overwrite json file on failure · Issue #268 · openziti/ziti-tunnel-sdk-c · GitHub

We’ll look to fix that one too - but for now you should be able to 3rd party enroll :slight_smile:

awesome. I will get the 0.20.5 version and give it a shot. Thank you both @TheLumberjack @scareything

@TheLumberjack Sounds like this fix resolves this now? Unable to import identity through ziti-edge-tunnel · Issue #548 · openziti/desktop-edge-win · GitHub. I noticed that you filed the bug above under another github repository.

@gooseleggs – no not really… The way ziti-edge-tunnel works and ZDEW work are very closely related, but not close enough where I think the bug you filed is covered. For that report, the ZDEW UI needs to be enhanced to understand the same sort of things that one can do with ‘raw’ ziti-edge-tunnel.

Now if you want to run ziti-edge-tunnel for windows without the whole ZDEW UI/packaging – I’d say yah that’d work. But you would need to make the service and maintain everything all on your own. So… imo - that issue is not done yet until it’s easy to do via the UI. I commented on that bug that I want to keep it open until we can do it with the UI. Thanks for the pointer!