Ziti-2.0.0-pre2 edge login, error 404

1

Hi, on my test server when I try to login I get error 404? Single controller and running 2.0.0-pre2, ZAC works. Been upgraded 1.6.12 → 1.8.0-pre5 → 2.0.0-pre2

root@pilvipannu:~# ./ziti-2.0.0-pre2 edge login
Enter controller host[:port] (default localhost:1280):
Untrusted certificate authority retrieved from server
Verified that server supplied certificates are trusted by server
Server supplied 2 certificates
Trust server provided certificate authority [Y/N]: Y
Server certificate chain written to /root/.config/ziti/certs/localhost_1280
Enter username: admin
Enter password:
Error: [POST /authenticate] authenticate (status 404): {}
Usage:
  ziti edge login my.controller.hostname[:port]/path [flags]

Flags:
      --ca string                 additional root certificates used by the Ziti Edge Controller
  -i, --cli-identity string       Specify the saved identity you want the CLI to use when connect to the controller with
  -c, --client-cert string        A certificate used to authenticate
....
2

Actually I had wrong port but still cannot login.

root@pilvipannu:~# ./ziti-2.0.0-pre3 edge login
Enter controller host[:port] (default localhost:1280): localhost:8443
Untrusted certificate authority retrieved from server
Verified that server supplied certificates are trusted by server
Server supplied 2 certificates
Trust server provided certificate authority [Y/N]: Y
Server certificate chain written to /root/.config/ziti/certs/localhost_8443
Enter username: admin
Enter password:
Error: failed to initiate authorization flow: could not find auth request id header from authorize endpoint
Usage:
ziti edge login my.controller.hostname[:port]/path [flags]

Flags:
--ca string                 additional root certificates used by the Ziti Edge Controller
-i, --cli-identity string       Specify the saved identity you want the CLI to use when connect to the controller with
3

Hi @timnis,

Would you be willing to share your controller's config file privately with me? Either DM here on discourse, email to clint at openziti.org or something like that? I'm interested in how you have your config setup. I have done exactly this on my long-running instance and I have not had this particular problem. It makes me wonder if there's something in your config that's different in some way.

Do you perhaps "split" your management api? Do you perhaps NOT have oidc exposed externally?

4

Hi @TheLumberjack ,

Yes I have split management. If you mean edge-oidc it’s publicly accessible.
Port 1280 is accessed through haproxy because port 443 is shared with router also.

Here is my conf.

v: 3
db:            "/var/lib/private/ziti-controller/bbolt.db"
identity:
  cert:        "pki/intermediate/certs/client.chain.pem"
  server_cert: "pki/intermediate/certs/server.chain.pem"
  key:         "pki/intermediate/keys/server.key"
  ca:          "pki/root/certs/root.cert"
trustDomain: ziti.domain.com
ctrl:
  options:
    advertiseAddress: tls:ziti.domain.com:443
  listener:             tls:127.0.0.1:1280
healthChecks:
  boltCheck:
    interval: 30s
    timeout: 20s
    initialDelay: 30s
edge:
  api:
    sessionTimeout: 30m
    address: ziti.domain.com:443
  enrollment:
    signingCert:
      cert: pki/intermediate/certs/intermediate.cert
      key:  pki/intermediate/keys/intermediate.key
    edgeIdentity:
      duration: 180m
    edgeRouter:
      duration: 180m
web:
  - name: client-management
    bindPoints:
      - interface: 127.0.0.1:1280
        address: ziti.domain.com:443
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
    options:
      idleTimeout: 5000ms  
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-client
        options: { }
      - binding: edge-oidc
        options: { }
  - name: management
    bindPoints:
      - interface: 0.0.0.0:8443
        address: ziti.domain.com:8443
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      - binding: fabric
        options: { }
      - binding: zac
        options:
          location: /opt/openziti/share/console
          indexFile: index.html
  - name: health-check
    bindPoints:
      - interface: 127.0.0.1:8444
        address: 127.0.0.1:8444
    apis:
      - binding: health-checks
5

Hi @TheLumberjack when you time could you check my conf.
Thanks for advanced.

6

Hi @timnis,

Your config seems fine to me. We are about to make a pre6 release. Would you give that a try and see if this issue was solved in that release?

Is it possible that wherever you're running the ziti login from, it cannot get to the ziti.domain.com:443 ?

The erorr makes it look to me like the client simply can't get to the edge-oidc endpoint

7

You could try adding the edge-oidc endpoint to the internal "management" api section as well. There's no problem with having "edge-oidc" on there twice.

8

Thanks, it was that :smiley: Now it works.