Using ziti-edge-tunnel enroll

av-dev · October 18, 2022, 9:19pm

I am trying to enroll an endpoint with identity obtained from third party CA ( already registered in ziti ) but getting following error

$ sudo /opt/openziti/bin/ziti-edge-tunnel enroll --jwt /opt/openziti/etc/identities/ca/ca.jwt --identity /opt/openziti/etc/identities/my-endpoint.json --cert my-enpoint.cert --key my-enpoint.key

(16141)[        0.000]   ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
(16141)[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1994 enroll_cb() enrollment failed: enroll failed(-9)

sh-4.4$ /opt/openziti/bin/ziti-edge-tunnel version
v0.20.3-local

am I missing something? TIA

TheLumberjack · October 18, 2022, 9:24pm

I am mobile and can’t try, but I think you need to pass a different flag… I’ll see if it’s in the doc

av-dev · October 18, 2022, 9:25pm

hmm, I was going by what cli shows.

sh-4.4$ /opt/openziti/bin/ziti-edge-tunnel enroll -h
ziti-edge-tunnel enroll: enroll Ziti identity
usage: ziti-edge-tunnel enroll -j|--jwt <enrollment token> -i|--identity <identity> [-k|--key <private_key> [-c|--cert <certificate>]] [-n|--name <name>]

	-j|--jwt	enrollment token file
	-i|--identity	output identity file
	-k|--key	private key for enrollment
	-c|--cert	certificate for enrollment
	-n|--name	identity name

TheLumberjack · October 18, 2022, 9:27pm

Yeah. I just checked the doc. Me or someone will have to reproduce to see if the doc/cli help is full and complete. I’ll try later tonight or tomorrow am

av-dev · October 18, 2022, 9:30pm

sure. As always, really appreciate quick response.

TheLumberjack · October 18, 2022, 10:56pm

Out of curiosity, could the hyphens in the names be causing the issue somehow? Still not able to try myself yet, but that thought occurred to me now, in case you could try

av-dev · October 18, 2022, 11:06pm

actually my cert and key names dont contain hyphens, i just added those here for brevity. my actual values are something like /var/xx/certs/x.y.z.cert.pem

TheLumberjack · October 19, 2022, 12:54am

It’s a bug in the ziti-edge-tunnel. I’ll file it. You can use the ziti CLI if you want for now. That’ll let you get your enrollment file to continue your testing while we fix this issue…

Using `ziti-edge-tunnel` – error:

~/ziti-edge-tunnel enroll \
>     --jwt "${jwt_file}" \
>     --identity "$ZITI_PKI/$ca_name/keys/${identity_name}.json" \
>     --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
>     --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
>     --name "${identity_name}"
[        0.000]   ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /home/runner/work/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1989 enroll_cb() enrollment failed: enroll failed(-9)

Using `ziti` CLI – success:

ziti edge enroll \
>     --jwt "${jwt_file}" \
>     --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
>     --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
>     --idname "${identity_name}" \
>     --ca "${identity_full_ca_path}" \
>     --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
INFO    enrolled successfully. identity file written to: /home/ubuntu/.ziti/quickstart/ip-172-31-42-64/pki/new_ca_000150/keys/new_ca_000150-ca_id_004825.json

av-dev · October 19, 2022, 12:59am

yeah, thats what i ended up doing. And it did work with ziti edge enroll ...

TheLumberjack · October 19, 2022, 1:10am

bug filed. glad you got past it

github.com/openziti/ziti-tunnel-sdk-c

enroll with 3rd party CA

opened 01:10AM - 19 Oct 22 UTC

dovholuknf

bug

See discourse thread https://openziti.discourse.group/t/using-ziti-edge-tunnel-e…nroll/820 User was using `ziti-edge-tunnel` to enroll an identity from a 3rd party CA receiving error shown. Using the `ziti` CLI `enroll` command succeeds (see discourse for example) ``` [ 0.000] ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /home/runner/work/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate) [ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1989 enroll_cb() enrollment failed: enroll failed(-9) ``` Steps to reproduce: ### -- MAKE SURE YOU SET THIS -- ``` edge_controller_uri=https://localhost:8441 ``` ### login somehow. If you used quickstart you can use `zitiLogin` ``` zitiLogin ``` ### Assign your token to `zt_session` ``` # use your env file to get a zt_session header - used for curls below zt_session=$(jq -r .edgeIdentities.default.token $ZITI_HOME/ziti-cli.json) ``` ### generate a new CA ``` ca_name="new_ca_$(date +"%H%M%S")" ca_dir="${ZITI_PKI}/${ca_name}" caCert="$ZITI_PKI/${ca_name}/certs/${ca_name}.cert" caKey="$ZITI_PKI/${ca_name}/keys/${ca_name}.key" ### create the PKI using the CLI ziti pki create ca \ --pki-root="${ZITI_PKI}" \ --ca-file "${ca_name}" \ --ca-name "${ca_name}" ``` ### make the ca to test with ``` ziti edge create ca $ca_name $caCert --autoca --ottca --auth ca_id=$(ziti edge list cas 'name = "'"$ca_name"'"' -j | jq -r .data[].id) ca_verification_token=$(ziti edge list cas 'name = "'"$ca_name"'"' -j | jq -r .data[].verificationToken) cat <<HERE CERT INFO ---------------------------------- New CA name : ${ca_name} New CA dir : ${ca_dir} New CA cert at : ${caCert} New CA key at : ${caKey} New CA id : ${ca_id} HERE ``` ### create a 3rd party CA ``` ziti pki create client \ --pki-root="${ZITI_PKI}" \ --ca-name=${ca_name} \ --client-name=${ca_verification_token} \ --client-file=${ca_verification_token} path_to_verificationToken_cert="$ZITI_PKI/${ca_name}/certs/${ca_verification_token}.cert" echo "New client lives at : ${path_to_verificationToken_cert}" ``` ### demonstrate it's not verified yet ``` ziti edge list cas 'name = "'"$ca_name"'"' ``` ### verify the CA ``` # submit the client cert to the proper endpoint using --data-binary result=$(curl -vsk \ -X POST \ -H "Content-Type: text/plain" \ -H "zt-session: ${zt_session}" \ "${edge_controller_uri}/edge/management/v1/cas/${ca_id}/verify" \ --data-binary @${path_to_verificationToken_cert} \ ) ``` ### verify the CA is now 'V'erified ``` ziti edge list cas 'name = "'"$ca_name"'"' ``` ### Make a new identity to enroll ``` # set your identity name. this is VITAL you need to use the format of "[caName]-[commonName] # you can see when looking at the json that this is output: # "identityNameFormat": "[caName]-[commonName]", # this was my missing step. presenting a cert that doesn't match this pattern makes it fail to auth identity_name="${ca_name}-ca_id_$(date +"%H%M%S")" echo "New Identity named: ${identity_name}" ziti pki create client \ --pki-root="${ZITI_PKI}" \ --ca-name=${ca_name} \ --client-name=${identity_name} \ --client-file=${identity_name} # create a new identity - I couldn't find a 'ziti cli' nor 'ZAC' way of doing this. Needed to use the API identity_id=$(curl -sk \ -H "Content-Type: application/json" \ -H "zt-session: ${zt_session}" \ "${edge_controller_uri}/edge/management/v1/identities" \ -d '{ "name": "'"${identity_name}"'", "type": "User", "isAdmin":false, "enrollment": { "ottca": "'"${ca_id}"'" } }' \ | jq -j '.data.id' ) jwt_file="${ZITI_PKI}/${identity_name}.jwt" echo "Third Party OTT identity created. ID: ${identity_id}" ``` ### get the jwt from the controller - used to enroll... ``` curl -sk -H "Content-Type: application/json" \ -H "zt-session: ${zt_session}" \ "${edge_controller_uri}/edge/management/v1/identities/${identity_id}" \ | jq -j .data.enrollment.ottca.jwt > ${jwt_file} echo "using jwt at ${jwt_file} to enroll" # you need the CA bundle in order to enroll - this command grabs the ca bundle curl -sk ${edge_controller_uri}/.well-known/est/cacerts > ${ZITI_PKI}/fetched-ca-certs.p7 openssl base64 -d -in ${ZITI_PKI}/fetched-ca-certs.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${ZITI_PKI}/fetched-ca-certs.pem identity_full_ca_path="${ZITI_PKI}/fetched-ca-certs.pem" ``` ### actually enroll the identity -- failure ``` ~/ziti-edge-tunnel enroll \ --jwt "${jwt_file}" \ --identity "$ZITI_PKI/$ca_name/keys/${identity_name}.json" \ --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \ --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \ --name "${identity_name}" ``` ### actually enroll the identity ``` ziti edge enroll \ --jwt "${jwt_file}" \ --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \ --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \ --idname "${identity_name}" \ --ca "${identity_full_ca_path}" \ --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json" ```

TheLumberjack · October 19, 2022, 4:30pm

Good news @av-dev. @scareything was able to find/fix the problem (and I confirmed that it’s fixed) in version 0.20.5. If you get the latest ziti-edge-tunnel enroll should work now! Just don’t run the command twice in a row or you’ll hit this known issue: ziti-edge-tunnel: enroll should not overwrite json file on failure · Issue #268 · openziti/ziti-tunnel-sdk-c · GitHub

We’ll look to fix that one too - but for now you should be able to 3rd party enroll

av-dev · October 19, 2022, 4:37pm

awesome. I will get the 0.20.5 version and give it a shot. Thank you both @TheLumberjack @scareything

gooseleggs · October 19, 2022, 6:45pm

@TheLumberjack Sounds like this fix resolves this now? Unable to import identity through ziti-edge-tunnel · Issue #548 · openziti/desktop-edge-win · GitHub. I noticed that you filed the bug above under another github repository.

TheLumberjack · October 19, 2022, 6:50pm

@gooseleggs – no not really… The way ziti-edge-tunnel works and ZDEW work are very closely related, but not close enough where I think the bug you filed is covered. For that report, the ZDEW UI needs to be enhanced to understand the same sort of things that one can do with ‘raw’ ziti-edge-tunnel.

Now if you want to run ziti-edge-tunnel for windows without the whole ZDEW UI/packaging – I’d say yah that’d work. But you would need to make the service and maintain everything all on your own. So… imo - that issue is not done yet until it’s easy to do via the UI. I commented on that bug that I want to keep it open until we can do it with the UI. Thanks for the pointer!

Topic		Replies	Views
How to enroll with a client certificate from another CA with ziti-edge-tunnel	2	378	September 23, 2021
Enrollment Failed ZDEW Ziti Desktop Edge for Windows	10	519	December 13, 2022
Enrollment of Demo Service identity fails	5	169	October 30, 2023
SDK and Enrollment SDK Questions	3	84	January 22, 2024
Host OpenZiti Anywhere Unable to enroll Support	9	82	March 22, 2024

Using ziti-edge-tunnel enroll

Using ziti-edge-tunnel – error:

Using ziti CLI – success:

Related Topics

Using `ziti-edge-tunnel` – error:

Using `ziti` CLI – success: