Ziti desktop edge for windows not enrolled with controller

Hello, i have installed the controller in linux machine and it is working fine, i installed the ziti tunnler on 2 windows machines and tried to enrolled it with controller. But when i tried to add the jwt in tunnller it gave me following error which i found in service log.
INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 1.0.6 @gee95018(HEAD) starting enrollment at (2024-08-20T21:39:51.063)
[2024-08-20T21:39:53.373Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -3008(unknown node or service)
[2024-08-20T21:39:53.373Z] ERROR ziti-sdk:ziti_enroll.c:222 well_known_certs_cb() D:/a/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:139 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2024-08-20T21:39:53.373Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:329 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
[2024-08-20T21:39:53.373Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:236 on_command_resp() resp[0,len=56] = {"Success":false,"Error":"enrollment failed","Code":500}

Can you find the controller config file and find this section:

web:
  - name: client-management
    bindPoints:
      - interface: 0.0.0.0:8441
        address: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441

Once you find that section, can you verify the windows machines can access that address?

Hi @TheLumberjack
here is the information i found under Web

That's along the lines of what I expected to see. See how the address specified is "ubuntu:8441". This means all your identities on your overlay network will need to be able to resolve and connect to "ubuntu:8441".

I expect that address is not routable on your network and that's why your ZDEW can't enroll.

Did you follow the "host it local" quickstart maybe? If that's the case, I'd recommend you follow the Host OpenZiti Anywhere | OpenZiti instead as it will have you set additional variables.

Or, you could follow along with the newer linux deployment guide here Controller Deployment | OpenZiti

i followed quickstart > network> openziti anywhere
Host OpenZiti Anywhere | OpenZiti

It looks like you might have closed your shell then. I would recommend removing the $HOME/.ziti folder and following the guide again. specifcally, I think you missed this particular session. These variables weren't set

As per suggestion i installed it again on new server where i am stuck on console installation. in step 4 where we have to add the location path for zac. When i did nano to open the file
${ZITI_HOME}/$(hostname -s).yaml there is no such content. It is empty.
root@ubuntu:~/.ziti/quickstart/ubuntu/zac# sudo nano ${ZITI_HOME}/$(hostname -s).yaml

You are most likely not sourcing the .env file after the quickstart ran and thus the ZITI_HOME variable isn't set.

If you open any other terminals (or close/reopen the terminal) to follow the instructions you must source the .env file. See this section of the doc:

source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env

Alrigh, That fixed the issue now. It is installed successfully but have same issue. Here is my topology


when i tried to enroll the windows machine with controller it gave me an error. Is it because my windows machine is behind the NAT?

here is the log on one of the windows machine.
[2024-08-22T04:13:27.747Z] INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 1.0.6 @gee95018(HEAD) starting enrollment at (2024-08-22T04:13:27.747)
[2024-08-22T04:13:30.018Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -3008(unknown node or service)
[2024-08-22T04:13:30.018Z] ERROR ziti-sdk:ziti_enroll.c:222 well_known_certs_cb() D:/a/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:139 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2024-08-22T04:13:30.018Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:329 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
[2024-08-22T04:13:30.018Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:236 on_command_resp() resp[0,len=56] = {"Success":false,"Error":"enrollment failed","Code":500}
[2024-08-22T04:13:30.841Z] INFO ziti-sdk:ziti.c:936 ziti_re_auth_with_cb() ztx[0] starting to re-auth with ctrl[https://ubuntu:8441] api_session_status[0] api_session_expired[TRUE]
[2024-08-22T04:13:33.122Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -3008(unknown node or service)
[2024-08-22T04:13:33.122Z] WARN ziti-sdk:ziti.c:1623 api_session_cb() ztx[0] failed to get api session from ctrl[https://ubuntu:8441] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] unknown node or service
[2024-08-22T04:13:38.122Z] INFO ziti-sdk:ziti.c:936 ziti_re_auth_with_cb() ztx[0] starting to re-auth with ctrl[https://ubuntu:8441] api_session_status[0] api_session_expired[TRUE]
[2024-08-22T04:13:40.379Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -3008(unknown node or service)
[2024-08-22T04:13:40.379Z] WARN ziti-sdk:ziti.c:1623 api_session_cb() ztx[0] failed to get api session from ctrl[https://ubuntu:8441] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] unknown node or service

NAT will not affect your enrollment. What will affect enrollment is when the controller is not contactable. Notice in your logs you still see: ctrl[https://ubuntu:8441] . Did you recreate the identity and re-transfer the jwt?

Can you please, verify the controller address as i mentioned before, and verify you can contact the address from the windows machine? see Ziti desktop edge for windows not enrolled with controller - #2 by TheLumberjack

You need to confirm the windows machine can access the address

Alright, i checked controller address is accessible from windows machine. Also when i edit the address with controller IP then i am not able to access the controller via GUI.

Just to be sure, that means this overlay is entirely in private address space, right?

At this point, I would expect you can issue this command from the windows machine and see a response (this is using cmd.exe):

openssl s_client -connect 10.200.2.7:8441 <NUL | openssl x509 -text

Can you share the SANS results?

            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:sg4, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1

Since you are using an IP address, the IP will need to be shown in that SANS block. Is it?

Hello @TheLumberjack,
openssl wasn't installed on windows machine so i installed it and then give the command you suggested. Here is the results.

one more thing you asked me that i regenerated the JWT file again and then retried to enrolled it.
Before that i didn't use any nat device which was successfully enrolled it but later when i deployed my topology and tried to enrolled it again i got this error.

No certificates were returned, is that port open? Maybe it's getting blocked?

Does this command return anything?

openssl s_client -connect 10.200.2.7:8441 <NUL

NAT won't matter. What will matter is that 10.200.2.7:8441 returns a server certificate that's valid for 10.200.2.7 and that the windows machine can access that IP and port. I can see from the ping that it seems to be ping'able but we need to verify port :8441 returns a cert

here is the output
C:\Windows\system32>openssl s_client -connect 10.200.2.7:8441 <NUL
88090000:error:8000274D:system library:BIO_connect:Unknown error:crypto\bio\bio_sock2.c:178:calling connect()
88090000:error:10000067:BIO routines:BIO_connect:connect error:crypto\bio\bio_sock2.c:180:
connect:errno=0

C:\Windows\system32>

It's not connecting to the controller on port 8441. It won't work until you get that working.

Alright, Got it.
Now what i did, i changed the Web file from conrtoller IP address to Controller Hostname
Then i tried to run the openssl command on windows machine and it return with certificate.


C:\Windows\system32>openssl s_client -connect 10.200.2.7:8441 <NUL | openssl x509 -text
Connecting to 10.200.2.7
Can't use SSL_get_servername
depth=2 C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ubuntu-edge-controller-root-ca Root CA
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=2 C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ubuntu-edge-controller-root-ca Root CA
verify return:1
depth=1 C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ubuntu-edge-controller-intermediate
verify return:1
depth=0 C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ubuntu server certificate
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
37:29:41:42:d1:dc:3b:c3:e2:6f:87:c9:94:3a:58:2e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ubuntu-edge-controller-intermediate
Validity
Not Before: Aug 21 18:56:17 2024 GMT
Not After : Aug 21 18:57:16 2025 GMT
Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ubuntu server certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d3:36:87:50:aa:2a:7b:ce:95:3d:9a:19:cc:18:
8c:66:44:99:4d:0c:9d:f1:af:75:c2:d6:e8:91:e5:
b0:26:0f:84:f4:70:4f:00:07:58:f2:8b:61:29:8a:
e1:4f:66:b2:af:2b:eb:8b:ef:89:13:e4:36:17:22:
08:90:5d:56:79:c3:66:81:74:1a:72:02:f6:71:50:
1e:98:f8:35:14:c9:f3:1f:df:1d:cb:a3:56:75:ad:
2a:7c:3a:cc:30:2b:21:33:7c:d3:95:7c:17:1b:f0:
fd:2b:02:53:68:90:c9:6e:1f:1f:89:14:6c:2c:0c:
b7:e4:e1:46:ae:5d:f8:71:cd:54:ba:85:d7:23:50:
2e:13:a0:38:47:65:ce:42:29:55:e9:5c:88:3c:20:
52:84:e6:9a:2a:a5:7a:7d:02:af:45:17:ae:77:bd:
65:a9:d5:14:ad:8b:72:c8:e8:1f:6f:2b:fc:52:1a:
51:b7:f5:b8:fe:61:36:81:d4:32:e5:f8:ee:8d:24:
00:44:ef:29:54:a0:65:57:ee:6b:b4:2c:27:47:3c:
48:1a:d7:cf:7b:d6:25:d5:f0:d2:bd:75:c6:de:18:
67:37:ef:22:08:a1:ab:82:c2:f1:2a:95:2e:03:9c:
3a:7e:31:34:c2:c4:5f:e8:18:96:c2:97:6f:4d:82:
58:ff:41:58:79:d9:46:c6:72:78:49:50:ab:cf:b4:
26:a3:34:e3:1e:42:5c:91:a7:df:8f:ea:3e:8a:ec:
3a:9c:c9:8a:8c:5a:ed:cd:ee:72:18:aa:7e:c2:cf:
80:6b:7d:da:d6:66:67:bd:b6:6f:6c:c4:a0:14:3b:
c1:f9:46:3d:ad:06:66:aa:45:8f:47:6d:a5:16:4f:
63:28:bc:67:da:d2:67:8a:28:81:c7:95:93:06:c1:
72:2a:fa:91:4f:2b:d5:8b:60:bd:84:70:8b:05:02:
7f:be:c2:16:74:4f:78:cd:22:b0:af:1d:d4:33:54:
28:05:f6:cb:c2:e7:5c:68:a4:ff:30:57:8b:41:0d:
52:e1:de:47:6a:c5:8c:3b:f6:21:0f:47:2d:69:b1:
a9:0c:b8:a6:cb:cc:da:88:cb:57:92:d6:5c:24:23:
43:3f:44:85:93:f4:5d:09:44:1c:de:7d:a3:33:3f:
7a:d9:f3:1b:45:b3:cc:60:46:b5:27:e1:a2:83:2d:
11:a3:81:ef:07:c6:91:1b:a6:ea:ac:94:61:98:27:
22:34:09:08:7a:a3:d1:d7:49:69:52:b3:50:72:8b:
3b:6c:2f:66:7d:20:00:40:e8:5e:85:7b:13:a5:ea:
b5:a5:12:ae:81:bd:a2:25:53:1d:f4:59:00:b8:b1:
2d:a7:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
F1:8C:E2:56:2E:C0:DC:7F:A0:B1:35:E0:73:06:05:D9:92:5C:50:73
X509v3 Authority Key Identifier:
5D:52:AB:7A:E0:20:21:C6:07:5F:ED:44:53:B1:7C:C8:83:B3:CD:17
X509v3 Subject Alternative Name:
DNS:localhost, DNS:ubuntu, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6e:6a:55:32:f0:30:11:1c:5c:ef:39:53:11:c4:f1:be:45:92:
25:06:25:9f:5b:f6:9f:f6:da:99:f7:81:fe:d5:f6:0f:cc:52:
af:a2:1e:f4:8e:4b:04:fc:73:a6:d4:b4:b8:57:ab:8b:8b:f8:
b4:36:21:a0:ba:69:cd:30:e9:34:41:bd:b2:01:b2:1c:cd:1c:
94:e6:91:8e:3a:b5:e5:1a:12:29:49:f0:fc:63:12:82:cf:9d:
5b:31:f7:f1:cd:f2:3a:54:5d:57:b6:e2:1e:6a:7e:5e:f8:7d:
c3:d6:2f:f2:68:09:99:64:21:5e:67:3d:94:b2:33:b6:40:cc:
f5:92:19:3c:f3:24:57:3f:64:b6:a9:9c:46:1e:ce:4e:56:8b:
62:58:44:94:e1:73:40:92:e1:40:f9:dc:10:ec:ac:d6:6d:8e:
e3:66:08:f0:14:54:8c:68:29:fb:35:3f:85:90:6f:2c:48:b2:
3e:3b:cf:ee:80:d2:9b:fb:de:bf:3b:5e:33:9e:b4:5a:9f:14:
74:f1:1f:9d:4e:20:be:53:ec:a9:f3:75:a3:f8:d3:22:4d:a1:
fb:71:f4:04:59:d0:17:16:85:c8:8b:c6:85:f8:af:33:fd:70:
c0:73:57:03:bb:39:76:10:31:97:dd:5e:28:72:a2:e9:83:2e:
b3:67:25:19:7c:d6:e1:42:22:99:8a:5b:ee:bf:30:62:a7:c7:
cc:70:ae:0e:a2:ea:8b:1e:c4:0c:5e:d2:da:2e:ff:b4:a9:03:
e1:5a:77:69:b3:ea:8c:8c:99:0a:27:11:34:e6:46:1e:37:bb:
f7:cf:71:0a:44:39:d5:3b:93:83:b5:0b:70:50:18:1a:4c:79:
56:e2:cc:13:76:f6:50:ac:ee:2b:83:c8:4c:85:4e:51:49:b2:
db:6e:3e:99:19:02:c8:c3:e9:6e:6c:3a:9d:bb:17:d4:40:32:
9b:2f:b3:47:30:8b:71:2b:de:e7:03:30:41:a1:e2:61:67:b0:
9c:0f:92:65:38:4f:cf:18:52:da:6f:19:71:7a:fc:05:7a:e4:
dd:8d:f9:df:3e:1e:a9:cc:c3:01:c6:60:0a:72:3f:1e:4c:6e:
5b:cb:a0:0d:51:c4:c6:c5:ad:44:30:1c:21:61:4a:2b:a3:0b:
c2:c6:06:93:e4:03:24:13:95:69:f7:f9:c6:7d:3a:4d:22:f3:
54:4a:3e:ec:b8:72:95:95:2f:e7:15:4f:04:1c:68:17:1c:32:
8c:be:95:fb:50:d5:54:cc:03:35:2f:e0:a6:4b:f9:91:cf:5c:
fe:30:86:aa:ec:e6:79:0e:4e:9a:ba:42:56:9e:b8:23:5c:99:
64:ad:76:b7:12:e5:c4:9e
-----BEGIN CERTIFICATE-----
MIIF8jCCA9qgAwIBAgIQNylBQtHcO8Pib4fJlDpYLjANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG
b3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMSwwKgYDVQQDEyN1YnVudHUtZWRnZS1j
b250cm9sbGVyLWludGVybWVkaWF0ZTAeFw0yNDA4MjExODU2MTdaFw0yNTA4MjEx
ODU3MTZaMGwxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNV
BAoTCk5ldEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxIjAgBgNVBAMTGXVidW50
dSBzZXJ2ZXIgY2VydGlmaWNhdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQDTNodQqip7zpU9mhnMGIxmRJlNDJ3xr3XC1uiR5bAmD4T0cE8AB1jyi2Ep
iuFPZrKvK+uL74kT5DYXIgiQXVZ5w2aBdBpyAvZxUB6Y+DUUyfMf3x3Lo1Z1rSp8
OswwKyEzfNOVfBcb8P0rAlNokMluHx+JFGwsDLfk4UauXfhxzVS6hdcjUC4ToDhH
Zc5CKVXpXIg8IFKE5poqpXp9Aq9FF653vWWp1RSti3LI6B9vK/xSGlG39bj+YTaB
1DLl+O6NJABE7ylUoGVX7mu0LCdHPEga18971iXV8NK9dcbeGGc37yIIoauCwvEq
lS4DnDp+MTTCxF/oGJbCl29Nglj/QVh52UbGcnhJUKvPtCajNOMeQlyRp9+P6j6K
7DqcyYqMWu3N7nIYqn7Cz4BrfdrWZme9tm9sxKAUO8H5Rj2tBmaqRY9HbaUWT2Mo
vGfa0meKKIHHlZMGwXIq+pFPK9WLYL2EcIsFAn++whZ0T3jNIrCvHdQzVCgF9svC
51xopP8wV4tBDVLh3kdqxYw79iEPRy1psakMuKbLzNqIy1eS1lwkI0M/RIWT9F0J
RBzefaMzP3rZ8xtFs8xgRrUn4aKDLRGjge8HxpEbpuqslGGYJyI0CQh6o9HXSWlS
s1ByiztsL2Z9IABA6F6FexOl6rWlEq6BvaIlUx30WQC4sS2nXQIDAQABo4GFMIGC
MA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTxjOJWLsDc
f6CxNeBzBgXZklxQczAfBgNVHSMEGDAWgBRdUqt64CAhxgdf7URTsXzIg7PNFzAi
BgNVHREEGzAZgglsb2NhbGhvc3SCBnVidW50dYcEfwAAATANBgkqhkiG9w0BAQsF
AAOCAgEAbmpVMvAwERxc7zlTEcTxvkWSJQYln1v2n/bamfeB/tX2D8xSr6Ie9I5L
BPxzptS0uFeri4v4tDYhoLppzTDpNEG9sgGyHM0clOaRjjq15RoSKUnw/GMSgs+d
WzH38c3yOlRdV7biHmp+Xvh9w9Yv8mgJmWQhXmc9lLIztkDM9ZIZPPMkVz9ktqmc
Rh7OTlaLYlhElOFzQJLhQPncEOys1m2O42YI8BRUjGgp+zU/hZBvLEiyPjvP7oDS
m/vevzteM560Wp8UdPEfnU4gvlPsqfN1o/jTIk2h+3H0BFnQFxaFyIvGhfivM/1w
wHNXA7s5dhAxl91eKHKi6YMus2clGXzW4UIimYpb7r8wYqfHzHCuDqLqix7EDF7S
2i7/tKkD4Vp3abPqjIyZCicRNOZGHje7989xCkQ51TuTg7ULcFAYGkx5VuLME3b2
UKzuK4PITIVOUUmy224+mRkCyMPpbmw6nbsX1EAymy+zRzCLcSve5wMwQaHiYWew
nA+SZThPzxhS2m8ZcXr8BXrk3Y353z4eqczDAcZgCnI/HkxuW8ugDVHExsWtRDAc
IWFKK6MLwsYGk+QDJBOVaff5xn06TSLzVEo+7LhylZUv5xVPBBxoFxwyjL6V+1DV
VMwDNS/gpkv5kc9c/jCGquzmeQ5OmrpCVp64I1yZZK12txLlxJ4=
-----END CERTIFICATE-----
DONE

Is that something expected result ?