Ziti desktop edge for windows not enrolled with controller

Yes. Now if you add on the extra bit you'll get the sans out... since you included the cert, i could do that and I see:

            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:ubuntu, IP Address:127.0.0.1

If you restart your controller, create an identity, transfer the jwt to windows it should work now. You need to also verify this section shows the same "ubuntu:8441". should be around line 129 ish:

edge:
  api:
    sessionTimeout: 30m
    address: ubuntu:8441

i checked the edge: configuration which is same as you mentioned. Now i did the same as you suggested to restart the controller and create the new identity and then tried to enrolled it with controller but got the same issue.

">
[2024-08-22T21:43:23.407Z] INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 1.0.6 @gee95018(HEAD) starting enrollment at (2024-08-22T21:43:23.407)
[2024-08-22T21:43:25.666Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -3008(unknown node or service)
[2024-08-22T21:43:25.666Z] ERROR ziti-sdk:ziti_enroll.c:222 well_known_certs_cb() D:/a/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:139 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2024-08-22T21:43:25.666Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:329 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
[2024-08-22T21:43:25.666Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:236 on_command_resp() resp[0,len=56] = {"Success":false,"Error":"enrollment failed","Code":500}
[2024-08-22T21:47:10.251Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:673 on_cmd() received cmd <{"Data":{"JwtFileName":"New-Wind-user.jwt","JwtContent":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImI2NTRjZWY1MmFlZTY2NTdmYWQ1MDhlMTIwZWQzYjA3ZThlNzFkYmUiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL3VidW50dTo4NDQxIiwic3ViIjoiRXloT1hvTkcuIiwiYXVkIjpbIiJdLCJleHAiOjE3MjQzNDg3ODgsImp0aSI6ImU1N2EyOTJmLTExN2YtNDg2NS1iY2RlLWEyODg3YTA5ZWNmNyIsImVtIjoib3R0IiwiY3RybHMiOm51bGx9.gEMIIWR3NoD1Kk_elGvKTtnvN1sa_5QSMDrELTNhSAgjI7Ok1u-Ck7nozANpV2NY2X9fUKXVUeLA9OyVZ4tWOXHWq2wzDQwXA1-5RylCQ9E2YWj8rDKoE_7dsQgFTbyEWx1RU6OeO-9W1Jrkw8nOEGZS7t_EJc-nakCMHOs-X13LOfWuwyNcJLujzqUPuIrwlKSaMVbxdu2HiBpfMIfrx8-owS85590DgfjtZH1C_COzbkPY-sPb4i02OZ8ruOHpyU_Z0fK8lKnjHVJRpwZqPJWkPN10aYCPMBW3aeTWbj6ZPkpk0G4K9xi8UbAm21idoed-ijT2SsD0mzpLi9BNvnNTj6099sORS-xLV4z88GKFMO6r1cHWrfxDfoOaIcUMladSuVoWoDuIWc09pOnRkXz3WfpQFA95tX5o6PB8SCXw-iqsqpuE0v0JADpXCfL4IGnBnqXUsmMA8WNpDe6VA5wF2qTP6KpUxl0sfeEQyUj7aELGe1sGUIRD1zJVrBYXeNbgv1Nl8ynn2e85bf6zOTwlgphshclaXpPnUYp9jbRH_5cm6XpfiWtkmesRlwPNYrX77FCGgO1aFj-MtrO1h_sZZs-mzadAgzrQpkiwBZt9eUiOD-yOeD3UA56_lCMQbv0k_dCycJ4maKNx
[2024-08-22T21:47:10.251Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:673 on_cmd() received cmd <1w8Twq6gWDRo"},"Command":"AddIdentity"}

[2024-08-22T21:47:10.251Z] INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 1.0.6 @gee95018(HEAD) starting enrollment at (2024-08-22T21:47:10.251)
[2024-08-22T21:47:12.505Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -3008(unknown node or service)
[2024-08-22T21:47:12.505Z] ERROR ziti-sdk:ziti_enroll.c:222 well_known_certs_cb() D:/a/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:139 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
[2024-08-22T21:47:12.505Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:329 tunnel_enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
[2024-08-22T21:47:12.505Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:236 on_command_resp() resp[0,len=56] = {"Success":false,"Error":"enrollment failed","Code":500}
"

It'd be appreciated if you used code fences when posting logs and other formatted text.

Can you post the JWT here? Usually that's a really bad idea - JWT's are secret! but since this JWT is entirely local to your network, it's safe to post.

OR - can you open the jwt in jwt.io and show me the body?

Here is the jwt file.

eyJhbGciOiJSUzI1NiIsImtpZCI6ImI2NTRjZWY1MmFlZTY2NTdmYWQ1MDhlMTIwZWQzYjA3ZThlNzFkYmUiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL3VidW50dTo4NDQxIiwic3ViIjoiRXloT1hvTkcuIiwiYXVkIjpbIiJdLCJleHAiOjE3MjQzNDg3ODgsImp0aSI6ImU1N2EyOTJmLTExN2YtNDg2NS1iY2RlLWEyODg3YTA5ZWNmNyIsImVtIjoib3R0IiwiY3RybHMiOm51bGx9.gEMIIWR3NoD1Kk_elGvKTtnvN1sa_5QSMDrELTNhSAgjI7Ok1u-Ck7nozANpV2NY2X9fUKXVUeLA9OyVZ4tWOXHWq2wzDQwXA1-5RylCQ9E2YWj8rDKoE_7dsQgFTbyEWx1RU6OeO-9W1Jrkw8nOEGZS7t_EJc-nakCMHOs-X13LOfWuwyNcJLujzqUPuIrwlKSaMVbxdu2HiBpfMIfrx8-owS85590DgfjtZH1C_COzbkPY-sPb4i02OZ8ruOHpyU_Z0fK8lKnjHVJRpwZqPJWkPN10aYCPMBW3aeTWbj6ZPkpk0G4K9xi8UbAm21idoed-ijT2SsD0mzpLi9BNvnNTj6099sORS-xLV4z88GKFMO6r1cHWrfxDfoOaIcUMladSuVoWoDuIWc09pOnRkXz3WfpQFA95tX5o6PB8SCXw-iqsqpuE0v0JADpXCfL4IGnBnqXUsmMA8WNpDe6VA5wF2qTP6KpUxl0sfeEQyUj7aELGe1sGUIRD1zJVrBYXeNbgv1Nl8ynn2e85bf6zOTwlgphshclaXpPnUYp9jbRH_5cm6XpfiWtkmesRlwPNYrX77FCGgO1aFj-MtrO1h_sZZs-mzadAgzrQpkiwBZt9eUiOD-yOeD3UA56_lCMQbv0k_dCycJ4maKNxxyRDkZi6rmqCitz1w8Twq6gWDRo

That jwt has a body like this:

{
  "iss": "https://ubuntu:8441",
  "sub": "EyhOXoNG.",
  "aud": [
    ""
  ],
  "exp": 1724348788,
  "jti": "e57a292f-117f-4865-bcde-a2887a09ecf7",
  "em": "ott",
  "ctrls": null
}

That all looks right. I specifically wanted to make sure the iss field was accurate and correct.

Your experience here is highly abnormal. I've not seen this problem happen this much. Let's go back to basics and try clean... try this...

• quit (don't close) the ZDEW UI (main menu -> quit)
• open an admin command prompt and stop two services:
  • net stop ziti
  • net stop ziti-monitor
• delete everything in C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs
• start the ZDEW (net start ziti-monitor then net start ziti)
• make an identity, name the identity test and the jwt test.jwt
• copy the test.jwt identity to the windows machine
• enroll the test.jwt token to produce an identity

if it fails, go to main menu -> feedback and email that zip file to clint at openziti.org and I'll look at it and see what I see.

I did the same as you suggested, it is still failed. i sent you feedback file on clint@openziti.org

Thanks. Can you send the controller logs for that time period too? Is there anything else in the controller logs that might be helpful?

how to get that logs?

If you installed it as a service on the ubuntu machine, use journalctl

something like this would be great:

journalctl -u ziti-controller --since "2 hours ago"

ok Thanks, I sent you the controller logs file.

@wahmad and I got this sorted outside of discourse. The problem was the windows machine could not resolve "ubuntu". As it's a test scenario, he tried to update the hosts file and inadvertently added ".txt" to the hosts file, which windows ignored.

The solution was to rename hosts.txt to hosts and he was able to enroll.

Just wanted to wrap this issue up. Thanks @wahmad -- happy ziti-ing!

Hi Clint,
Thanks for your excellent support. Love to be a part of ziti-ing!