Just wondering about something.
So I wiped and restarted my Host Anywhere Quickstart to play, and went through the various steps in the Host OpenZiti Anywhere | NetFoundry Documentation and Ziti Admin Console | NetFoundry Documentation - downloading from github to apply the ZAC
Then I went over the documentation I wrote for alternative server certs. Console Configuration | NetFoundry Documentation
I can set up services and intercepts no worries. However, when I finished ZAC config I still see the certificate error in the browser. I am sure my last attempt at this worked fine, so I am not sure what I did wrong here.
Controller: v1.6.8 ZAC: 3.12.5 (which I think these are both latest versions)
alt_server_certs:
- server_cert: "/etc/letsencrypt/live/<DNS>/fullchain.pem"
server_key: "/etc/letsencrypt/live/<DNS>/privkey.pem"
certbot certificates output
Found the following certs:
Certificate Name: <DNS>
Serial Number: <SERIAL No.>
Key Type: ECDSA
Domains: <DNS>
Expiry Date: 2025-12-13 14:44:12+00:00 (VALID: 72 days)
Certificate Path: /etc/letsencrypt/live/<DNS>/fullchain.pem
Private Key Path: /etc/letsencrypt/live/<DNS>/privkey.pem
Any thoughts from anyone?
I think I have a solution - its definitely a “me” problem. I shall report back soon
Ah maybe not me then - I have tried again. I noticed in my first renewed set up I had mistakenly omitted the environment variable for EXTERNAL_DNS - so my PKI was all sorts of weird with IP addresses. So I wiped it once more - really meticulous - stopped and removed all services, removed the folder and all the environment and started over.
I am back online with a quickstart zero trust fabric and a nicer looking PKI based on the EXTERNAL_DNS. but the ZAC is still claiming no valid public keys are available. So I am stumped at this point
Have you possibly overlapped the "EXTERNAL_DNS" entry with the valid, letsencrypt domain? Doing so leads to non-deterministic behavior. That's my guess, it's a common mistake. Can you confirm your "private" PKI does not overlap with your LE domain name?
For example, I commonly use something like *.clint.demo.openziti.org for my ctrl (ctrl.demo.openziti.org) etc. If you do that and have something like "privatepki.clint.demo.openziti.org" you'll have overlapped the privatepki and LE cert.
You really need two FQDN entries to use a LE cert, a purely private pki FQDN (or IP only I suppose) and a FQDN for LE.
That's my best guess as to what happened.
Ah I think this makes sense. I thought I was simplifying by using the same - I can totally disambiguate this!! Thanks!
I will pop back and confirm tho
And its working again. I feel like I am getting to know how to set this up better as a result.
I noted something along the way.
The expressInstall script seems to look at both $EXTERNAL_DNS and $(hostname), so first attempt to disambiguate the DNS failed because I got plausible looking PKI which displayed names of both the EXTERNAL_DNS variable and the local host’s system name, which were different. This resulted in the same problem.
When I set the local name of the server to be the same as the EXTERNAL_DNS, then it all worked fine.