Ziti edge login fail because of zac on same port

Hi,

When I try to login from router to controller it doesn't work if ZAC is on same port? If I temporary remove ZAC then login succeed.

root@ozrb1:~# ziti edge login
Enter controller host[:port] (default localhost:1280): ozc1.xxxxx.com:8443
Untrusted certificate authority retrieved from server
Verified that server supplied certificates are trusted by server
Server supplied 2 certificates
Trust server provided certificate authority [Y/N]: y
Server certificate chain written to /root/.config/ziti/certs/ozc1.xxxxx.com
Enter username: admin
Enter password:
error: unable to parse response from https://ozc1.xxxxx.com:8443. Server returned: <!doctype html>
<html lang="en" data-critters-container>
<head><base href="/zac/">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta http-equiv="cache-control" content="no-cache">
  <title>Ziti Admin Console</title>

I have following controller config

web:
  - name: client-management
      - interface: 0.0.0.0:443
        address: ozc1.xxxxx.com:443
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-client
        options: { }
  - name: management
    bindPoints:
      - interface: 0.0.0.0:8443
        address: ozc1.xxxxx.com:8443
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
        options: { }
      - binding: fabric
        options: { }
      - binding: zac
        options:
          location: /opt/openziti/share/console
          indexFile: index.html
  - name: health-check
    bindPoints:
      - interface: 0.0.0.0:8444
        address: 0.0.0.0:8444
    apis:
      - binding: health-checks

This is really strange. I've never seen this and I have ZAC installed on my controller.

If you provide the url does this happen? Like:

ziti edge login ${url}

I've never seen this particular behavior yet...

Just tested, same problem...

root@ozc1:~# export URL="ozc1.xxxxx.com:8443"
root@ozc1:~# echo $URL
ozc1.xxxxx.com:8443
root@ozc1:~# ziti edge login ${URL}
Using username: admin from identity 'default' in config file: /root/.config/ziti/ziti-cli.json
Enter password:
error: unable to parse response from https://ozc1.xxxxx.com:8443. Server returned: <!doctype html>
<html lang="en" data-critters-container>
<head><base href="/zac/">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta http-equiv="cache-control" content="no-cache">
  <title>Ziti Admin Console</title>
  <!-- Icons -->

Ok - i see you have split the API. I didn't notice that and didn't test it... I can, in the meantime could you remove the client api from :443 and test? (i dunno if you have clients using this yet)... I'll go split off my edge-client and see if i can reproduce...

There is few clients connected... Maybe I can try night time

No need. I was able to reproduce this issue. I'll have a look and see if there's a workaround but it's certainly an unexpected bug.

Thanks for discovering this

Good

Not a big issue because I can login from controller using localhost:8443

BTW, for a workaround provide full path and it works

ziti edge login https://ozc1.xxxxx.com:8443/edge/management/v1

I was coming here and just going to ask you this. Thanks for confirming

I have created the following issue for this setup: Split Edge APIs can cause `ziti edge login` to fail · Issue #2591 · openziti/ziti · GitHub