Open qrkourier opened 1 month ago
I'm attempting to reproduce the autoca enrollment problem with ziti-edge-tunnel enroll
, and now get a different failing result with latest ziti and ZET.
❯ sudo ZITI_TIME_FORMAT=utc ZITI_LOG=4 TLSUV_DEBUG=4 ziti-edge-tunnel enroll --jwt /tmp/intermediate2.jwt --identity /tmp/i2a.json --key /var/lib/ziti-controller/pki/intermediate2/keys/i2a.key --cert /var/lib/ziti-controller/pki/intermediate2/certs/i2a.cert --name i2a
(2449296)[2024-06-03T15:40:19.732Z] INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=4/DEBUG
(2449296)[2024-06-03T15:40:19.732Z] INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting at (2024-06-03T15:40:19.732)
(2449296)[2024-06-03T15:40:19.732Z] INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting enrollment at (2024-06-03T15:40:19.732)
(2449296)[2024-06-03T15:40:19.732Z] DEBUG ziti-sdk:jwt.c:82 load_jwt() filename is: /tmp/intermediate2.jwt
(2449296)[2024-06-03T15:40:19.732Z] DEBUG ziti-sdk:jwt.c:75 load_jwt_file() jwt file content is:
eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg2Y2RjYmE3OWRjNmJmNzVhNTdjNWZhNjllNDIzNzRjMjFlOGE5NWIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDoxMjgwLyIsInN1YiI6IjN1UHlRdlIzU0pBSGpUeFZ6WUdMVWsiLCJqdGkiOiIzdVB5UXZSM1NKQUhqVHhWellHTFVrIiwiZW0iOiJjYSIsImN0cmxzIjpudWxsfQ.27pxIZ7iB2Qu-VeDjMrbHzqohMg1rd5XQ8P5Pt3nLKv_anJQbJTZnfpr7ODAqQ9fNlJFiU10ZpDrIpU8t1KAavzKbrtl3QJqRoWu_Z66le0M8OCUYunf9q6PN9reLREheyyKc_HB9PQGEb3x9ZZu1BR1H7BRvBHLQ6cLqi9foSOfbEe1jK8eAn91V6bQ7iZSySXYsluOeQLZAEuNUZxfgsjuVp0XwruxC2Udmve8rmrCliS-rczfLRR0SEUM4d3aELVqJf9-aMsqJLUIaYrrPigeYxG166KpHFe-hp_LD_S954QZ-MKnn4wUjQU6AczCTt_RelXTDLl8Qsai6LPprDCE3m1G5xfde5j8MMYf1Twgyl43PH4qeEOzYnmIFpIKuyjRiwroKnY7aR4FmrTZdc35jtmda2uVtmxtQaYxCjlj80LojsShJIU57hWFsO3UNQD7R62_2LOUr-YwOXPy3Pj-cHA-vXbnBn1Q-wiycG1KpWX2nAq4NprI7GGp452ipuYPjsTeTNM-K7By3a-QcR5VjTf3LbA8dsNgFDzdbIfbq3dCBJJgKIN-tSAqlK9dTVu3ZUVUdkpebDMaYFQqy0lHoPylEFkdlq65wspt8MzNM1zwhzfXD3Chp-Gch23trveoSL2YolriaL8l9w8275X6CRq1dSO4JVhBdZr5Ovw
(2449296)[2024-06-03T15:40:19.732Z] DEBUG ziti-sdk:jwt.c:36 parse_jwt_content() ecfg->jwt_signing_input is:
eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg2Y2RjYmE3OWRjNmJmNzVhNTdjNWZhNjllNDIzNzRjMjFlOGE5NWIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDoxMjgwLyIsInN1YiI6IjN1UHlRdlIzU0pBSGpUeFZ6WUdMVWsiLCJqdGkiOiIzdVB5UXZSM1NKQUhqVHhWellHTFVrIiwiZW0iOiJjYSIsImN0cmxzIjpudWxsfQ
(2449296)[2024-06-03T15:40:19.732Z] DEBUG tlsuv:base64.c:107 base64url_decode len is: 512
(2449296)[2024-06-03T15:40:19.732Z] DEBUG tlsuv:base64.c:107 base64url_decode len is: 76
(2449296)[2024-06-03T15:40:19.732Z] DEBUG tlsuv:base64.c:107 base64url_decode len is: 118
(2449296)[2024-06-03T15:40:19.732Z] DEBUG ziti-sdk:ziti_ctrl.c:415 ziti_ctrl_init() ctrl[localhost] ziti controller client initialized
(2449296)[2024-06-03T15:40:19.732Z] DEBUG tlsuv:tcp_src.c:158 resolving 'localhost:1280'
(2449296)[2024-06-03T15:40:19.732Z] INFO tlsuv:engine.c:278 using system CA bundle[/etc/ssl/certs/ca-certificates.crt]
(2449296)[2024-06-03T15:40:19.744Z] DEBUG ziti-sdk:ziti_enroll.c:39 verify_controller_jwt() verifying JWT signature
(2449296)[2024-06-03T15:40:19.744Z] DEBUG ziti-sdk:ziti_enroll.c:67 verify_controller_jwt() JWT verification succeeded!
(2449296)[2024-06-03T15:40:19.749Z] DEBUG ziti-sdk:ziti_enroll.c:155 well_known_certs_cb() CA PEM len = 4246
(2449296)[2024-06-03T15:40:19.749Z] DEBUG ziti-sdk:ziti_ctrl.c:415 ziti_ctrl_init() ctrl[localhost] ziti controller client initialized
(2449296)[2024-06-03T15:40:19.749Z] DEBUG tlsuv:tcp_src.c:158 resolving 'localhost:1280'
(2449296)[2024-06-03T15:40:19.771Z] ERROR ziti-sdk:ziti_enroll.c:233 enroll_cb() failed to enroll with controller: https://localhost:1280/ COULD_NOT_VALIDATE (The supplied request contains an invalid document or no valid accept content were available, see cause)
(2449296)[2024-06-03T15:40:19.771Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2159 enroll_cb() enrollment failed: COULD_NOT_VALIDATE(-3)
Reusable autoca token analysis:
{
"header": {
"alg": "RS256",
"kid": "86cdcba79dc6bf75a57c5fa69e42374c21e8a95b",
"typ": "JWT"
},
"payload": {
"iss": "https://localhost:1280/",
"sub": "3uPyQvR3SJAHjTxVzYGLUk",
"jti": "3uPyQvR3SJAHjTxVzYGLUk",
"em": "ca",
"ctrls": null
},
"analysis": {
"signature_valid": true,
"enrollment_method": "reusable token for auto-creating an identity from a trusted external CA"
}
}
I was able to enroll with the ottca method with latest ziti 1.1.3 and ZET 0.22.30, so I'll update the description to reflect that only autoca method is still failing.
autoca method uses the reusable CA JWT, which has a valid signature, with a cert from the external CA
ottca method uses a one-time JWT, which has a valid signature, with a cert from the external CA
Both exit with code 1 and produce no stdout nor stderr.