Ziti DNS and TLS still showing self-signed cert despite correct DNS resolution (Node B → Node A via Ziti)

relias · October 13, 2025, 6:02pm

I have two VPS nodes:

Node A (runs Vault-like service + ziti-edge-tunnel host)
Node B (runs ziti-edge-tunnel client and should connect to Node A securely through Ziti)

Node A’s public address is vault.example.app:8200, but it should be accessed internally through Ziti with a proper certificate chain issued by Root CA.
However, when testing from Node B, I still see the old self-signed HashiCorp-style certificate even though DNS resolution points to Ziti.

What’s working

Node A side:
sudo openssl x509 -in /opt/vault/tls/vault.crt -noout -subject -issuer -enddate

subject=CN = vault.example.app

issuer=CN = Root CA

notAfter=Jan 16 10:10:31 2028 GMT

Node A ziti-edge-tunnel status:
sudo ziti-edge-tunnel tunnel_status | jq '.Data.Identities[0].Services | {Name, IsAccessible}'

vault-service: true

vault.example.app: true

Node B DNS resolution:
getent ahostsv4 vault.example.app

100.64.0.1 vault.example.app

dig @100.64.0.2 vault.example.app +short

100.64.0.3

cat /etc/hosts

100.64.0.3 vault.example.app

resolvectl:
DNS=100.64.0.2
Domains=~internal

The problem

From Node B:
echo | openssl s_client -4 -connect vault.example.app:8200 -servername vault.example.app -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer

subject=O = HashiCorp, CN = Vault

issuer=O = HashiCorp, CN = Vault

So, even though DNS resolves correctly to 100.64.x.x, the TLS handshake still hits the public listener instead of the Ziti-hosted one.

Observations

Ziti DNS resolution (via 100.64.0.2) is working fine.
But s_client connections still reach the public certificate.
Restarting ziti-edge-tunnel on Node A drops SSH (expected).
After reconnecting, tunnel shows services as active, but traffic still isn’t being intercepted for port 8200.

Suspected root cause

Either:

The Ziti tunnel on Node A is not actually binding the Vault service (port 8200) locally; or
The Ziti edge-tunnel on Node B is not intercepting correctly for vault.example.app; or
The DNS configuration on Node B intermittently bypasses the Ziti resolver.

What’s been tried

Verified DNS through getent, dig, and /etc/hosts.
Restarted both tunnels (ziti-edge-tunnel service).
Confirmed both services show IsAccessible: true.
Still getting the public certificate when testing TLS.

Looking for guidance

What’s the correct way to ensure that:

Ziti intercepts all traffic for vault.example.app over the fabric,
Node A actually hosts/binds tcp:127.0.0.1:8200 through Ziti, and
TLS requests from Node B never touch the public network?

Any suggestions to verify or enforce the binding/intercept mapping would be appreciated.

Topic		Replies	Views
Not able to access an endpoint Ziti Edge Tunnel	7	320	May 20, 2022
Failed to resolve ziti-tunnel.resolver.test Ziti Tunnel	1	338	June 12, 2022
Hosting a DNS service	5	1296	December 20, 2019
Ziti-tunnel use case Ziti Tunnel	9	386	September 15, 2022
Getting ziti-edge-tunnel working on RHEL 8 Ziti Tunnel	24	1133	May 16, 2022