search

openziti / ziti-tunnel-android

Apache License 2.0
19 stars 5 forks source link

all services not working for all identities #186

Closed qrkourier closed 1 month ago

qrkourier commented 8 months ago

I'm unable to use any Ziti services. ZME shows "unavailable" status for the two identities I've loaded, and zero available services.

I've used ZME successfully and normally since the last time any software versions changed (Android or ZME). I haven't loaded any new Ziti identities or unloaded any identities or changed any service or router policies since the last time I was able to use ZME normally, which was probably Friday 19th.

The log.zip shows controller unavailable, but both identities' controllers' client APIs are reachable from the same device with the same network uplink. I tried WiFi and mobile data. The tunnel activate button doesn't produce any errors, but neither identity's status progresses from "unavailable" and no services are enumerated.

I've taken the following steps and was unable to recover a functioning ZME tunnel:

Device:          Pixel 6 Pro (Google)
Android Version: 14
Android-SDK:     34
Ziti Version:    0.30.0(344b49b)
App:             org.openziti.mobile
App Version:     v0.8.1
qrkourier commented 8 months ago

I confirmed I'm subscribed to the beta channel in Play Store, and the app's store page is still active and appears normal to me.

Screenshot_20240122-155630

qrkourier commented 8 months ago

Still borked. No services at all. :man_shrugging:

qrkourier commented 8 months ago

The log reveals that, for both of the two added Ziti identities, the Ziti controller's client API server certificate could not be verified for some reason.

01-30 10:47:51.721  5844  5870 W o.o.i.ZitiContextImpl: failed to login: ControllerUnavailable: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Normally, a bundle of trusted issuer certificates is downloaded from the Ziti controller at the time of enrollment and used to verify all server certificates encountered by the enrolled identity for the life span of the identity. This includes the Ziti controller's client API where the identity obtains a session token and finds its services and routers and the router's edge listener where the identity dials services.

Replacing the identities has worked around the issue, but there were two further apparent Android app glitches during the process of working around the NotAuthorized symptom.

  1. Replacing my CloudZiti Teams network identity succeeded immediately. I left the NotAuthorized identity installed in ZME, and noticed today that it resumed functioning normally after more than a week of not functioning at all, despite several reboots.
  2. Replacing my Mattermost network identity did not succeed immediately. The new identity appeared to have the same NotAuthorized problem. However, after forcibly terminating the ZME app, the replacement identity was functioning normally.
qrkourier commented 7 months ago

The new identity I added from my CloudZiti Teams network has stopped working too, and this time it's only the Teams identity, not the Mattermost identity.

qrkourier commented 7 months ago

I worked around this with the re-enroll option in the CloudZiti console. I deleted the malfunctioning Teams identity and added the replacement identity.

ekoby commented 1 month ago

should be fixed with #199