Open bengcooper opened 1 week ago
PKCS#11 is not supported in 1.x releases
do you mind trying with the latest 2.0.0 pre-release binaries (available here)?
I've updated to v2.0.0-alpha17 and the issue is still occurring:
[ 0.000] WARN ziti-edge-tunnel:instance.c:39 find_tunnel_identity() Identity ztx[/opt/openziti/etc/identities/yubikey-test2.json] is not loaded yet or already removed.
[ 0.011] WARN ziti-sdk:model_support.c:202 model_parse() json parse error: expected comment
[ 0.011] WARN ziti-sdk:model_support.c:202 model_parse() json parse error: expected comment
[ 0.011] ERROR ziti-sdk:ziti.c:130 init_tls_from_config() /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti.c:120 - load_key_internal(tls, &pk, cfg->id.key) => -13 (Unknown error -13)
[ 0.011] ERROR ziti-sdk:ziti.c:460 ziti_init_async() invalid TLS config: configuration is invalid
[ 0.011] WARN tunnel-cbs:ziti_tunnel_ctrl.c:906 on_ziti_event() ziti_ctx controller connections failed: configuration is invalid
[ 0.011] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1233 on_event() ztx[/opt/openziti/etc/identities/yubikey-test2.json] failed to connect to controller due to configuration is invalidon_event() ztx[/opt/openziti/etc/identities/yubikey-test2.json] failed to connect to controller due to configuration is invalid
The JSON parse error appears for each identity so it's potentially not related.
Is pkcs11:///usr/lib/libykcs11.so?id=01&pin=123456
actually readable, i.e. did you check if this isn't a ziti problem?
I am receiving the following error when trying to load an identity loaded onto a YubiKey via PKCS#11 in ziti-edge-tunnel v1.1.3:
The identity was created with ziti CLI v1.1.8, and enrolled with a local build (as openziti/ziti#1231 hasn't released yet).
The command used to create the certificate on the YubiKey was:
And the (redacted) identity JSON file after enrolling is: