search

openziti / ziti-tunnel-sdk-c

Apache License 2.0
42 stars 15 forks source link

autoca enrollment fails #840

Open qrkourier opened 1 month ago

qrkourier commented 1 month ago

autoca method uses the reusable CA JWT, which has a valid signature, with a cert from the external CA

❯ ZITI_TIME_FORMAT=utc ZITI_LOG=4 TLSUV_DEBUG=4 ./ziti-edge-tunnel enroll --jwt ./kenlabCA.jwt --key ./intermediate/keys/kenlab1.key --cert ./intermediate/certs/kenlab1.cert

ottca method uses a one-time JWT, which has a valid signature, with a cert from the external CA

❯ ZITI_TIME_FORMAT=utc ZITI_LOG=4 TLSUV_DEBUG=4 ./ziti-edge-tunnel enroll --jwt ./kenlab2.jwt --key ./intermediate/keys/kenlab2.key --cert ./intermediate/certs/kenlab2.cert

Both exit with code 1 and produce no stdout nor stderr.

qrkourier commented 3 weeks ago

I'm attempting to reproduce the autoca enrollment problem with ziti-edge-tunnel enroll, and now get a different failing result with latest ziti and ZET.

❯ sudo ZITI_TIME_FORMAT=utc ZITI_LOG=4 TLSUV_DEBUG=4 ziti-edge-tunnel enroll --jwt /tmp/intermediate2.jwt --identity /tmp/i2a.json --key /var/lib/ziti-controller/pki/intermediate2/keys/i2a.key --cert /var/lib/ziti-controller/pki/intermediate2/certs/i2a.cert --name i2a
(2449296)[2024-06-03T15:40:19.732Z]    INFO ziti-sdk:utils.c:201 ziti_log_set_level() set log level: root=4/DEBUG
(2449296)[2024-06-03T15:40:19.732Z]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting at (2024-06-03T15:40:19.732)
(2449296)[2024-06-03T15:40:19.732Z]    INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 0.36.11 @c9993c3(HEAD) starting enrollment at (2024-06-03T15:40:19.732)
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG ziti-sdk:jwt.c:82 load_jwt() filename is: /tmp/intermediate2.jwt
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG ziti-sdk:jwt.c:75 load_jwt_file() jwt file content is: 
eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg2Y2RjYmE3OWRjNmJmNzVhNTdjNWZhNjllNDIzNzRjMjFlOGE5NWIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDoxMjgwLyIsInN1YiI6IjN1UHlRdlIzU0pBSGpUeFZ6WUdMVWsiLCJqdGkiOiIzdVB5UXZSM1NKQUhqVHhWellHTFVrIiwiZW0iOiJjYSIsImN0cmxzIjpudWxsfQ.27pxIZ7iB2Qu-VeDjMrbHzqohMg1rd5XQ8P5Pt3nLKv_anJQbJTZnfpr7ODAqQ9fNlJFiU10ZpDrIpU8t1KAavzKbrtl3QJqRoWu_Z66le0M8OCUYunf9q6PN9reLREheyyKc_HB9PQGEb3x9ZZu1BR1H7BRvBHLQ6cLqi9foSOfbEe1jK8eAn91V6bQ7iZSySXYsluOeQLZAEuNUZxfgsjuVp0XwruxC2Udmve8rmrCliS-rczfLRR0SEUM4d3aELVqJf9-aMsqJLUIaYrrPigeYxG166KpHFe-hp_LD_S954QZ-MKnn4wUjQU6AczCTt_RelXTDLl8Qsai6LPprDCE3m1G5xfde5j8MMYf1Twgyl43PH4qeEOzYnmIFpIKuyjRiwroKnY7aR4FmrTZdc35jtmda2uVtmxtQaYxCjlj80LojsShJIU57hWFsO3UNQD7R62_2LOUr-YwOXPy3Pj-cHA-vXbnBn1Q-wiycG1KpWX2nAq4NprI7GGp452ipuYPjsTeTNM-K7By3a-QcR5VjTf3LbA8dsNgFDzdbIfbq3dCBJJgKIN-tSAqlK9dTVu3ZUVUdkpebDMaYFQqy0lHoPylEFkdlq65wspt8MzNM1zwhzfXD3Chp-Gch23trveoSL2YolriaL8l9w8275X6CRq1dSO4JVhBdZr5Ovw
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG ziti-sdk:jwt.c:36 parse_jwt_content() ecfg->jwt_signing_input is: 
eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg2Y2RjYmE3OWRjNmJmNzVhNTdjNWZhNjllNDIzNzRjMjFlOGE5NWIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDoxMjgwLyIsInN1YiI6IjN1UHlRdlIzU0pBSGpUeFZ6WUdMVWsiLCJqdGkiOiIzdVB5UXZSM1NKQUhqVHhWellHTFVrIiwiZW0iOiJjYSIsImN0cmxzIjpudWxsfQ
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG tlsuv:base64.c:107 base64url_decode len is: 512
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG tlsuv:base64.c:107 base64url_decode len is: 76
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG tlsuv:base64.c:107 base64url_decode len is: 118
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG ziti-sdk:ziti_ctrl.c:415 ziti_ctrl_init() ctrl[localhost] ziti controller client initialized
(2449296)[2024-06-03T15:40:19.732Z]   DEBUG tlsuv:tcp_src.c:158 resolving 'localhost:1280'
(2449296)[2024-06-03T15:40:19.732Z]    INFO tlsuv:engine.c:278 using system CA bundle[/etc/ssl/certs/ca-certificates.crt]
(2449296)[2024-06-03T15:40:19.744Z]   DEBUG ziti-sdk:ziti_enroll.c:39 verify_controller_jwt() verifying JWT signature
(2449296)[2024-06-03T15:40:19.744Z]   DEBUG ziti-sdk:ziti_enroll.c:67 verify_controller_jwt() JWT verification succeeded!
(2449296)[2024-06-03T15:40:19.749Z]   DEBUG ziti-sdk:ziti_enroll.c:155 well_known_certs_cb() CA PEM len = 4246
(2449296)[2024-06-03T15:40:19.749Z]   DEBUG ziti-sdk:ziti_ctrl.c:415 ziti_ctrl_init() ctrl[localhost] ziti controller client initialized
(2449296)[2024-06-03T15:40:19.749Z]   DEBUG tlsuv:tcp_src.c:158 resolving 'localhost:1280'
(2449296)[2024-06-03T15:40:19.771Z]   ERROR ziti-sdk:ziti_enroll.c:233 enroll_cb() failed to enroll with controller: https://localhost:1280/ COULD_NOT_VALIDATE (The supplied request contains an invalid document or no valid accept content were available, see cause)
(2449296)[2024-06-03T15:40:19.771Z]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2159 enroll_cb() enrollment failed: COULD_NOT_VALIDATE(-3)

Reusable autoca token analysis:

{
    "header": {
        "alg": "RS256",
        "kid": "86cdcba79dc6bf75a57c5fa69e42374c21e8a95b",
        "typ": "JWT"
    },
    "payload": {
        "iss": "https://localhost:1280/",
        "sub": "3uPyQvR3SJAHjTxVzYGLUk",
        "jti": "3uPyQvR3SJAHjTxVzYGLUk",
        "em": "ca",
        "ctrls": null
    },
    "analysis": {
        "signature_valid": true,
        "enrollment_method": "reusable token for auto-creating an identity from a trusted external CA"
    }
}
qrkourier commented 3 weeks ago

I was able to enroll with the ottca method with latest ziti 1.1.3 and ZET 0.22.30, so I'll update the description to reflect that only autoca method is still failing.