CLI is unable to fetch external CA's JWT

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti

https://openziti.io

Apache License 2.0

2.63k stars 152 forks source link

CLI is unable to fetch external CA's JWT #1151

Open qrkourier opened 1 year ago

qrkourier commented 1 year ago

ziti edge create ca is used to create a trust relationship with an external CA. Auto-enrolled identities must use the CA's JWT to discover the client API. The JWT is unavailable through any CLI interaction, so a REST request is necessary when automating this procedure.

qrkourier commented 1 year ago

As a workaround, this reusable enrollment token is available in the Ziti console and doesn't change throughout the life span of a controller's advertised client API URL.

shell example from https://openziti.discourse.group/t/ziti-and-spiffe/733/9?u=qrkourier

curl -sk -H "zt-session: ${zt_session}" "https://${ZITI_EDGE_CTRL_ADVERTISED}/edge/management/v1/cas/${ca_id}/jwt"

qrkourier commented 3 months ago

Another workaround that's possible when the ziti CLI is able to read the CA's private key is to let the CLI perform the entire verification operation.

ziti edge verify ca "myca" --cacert ./root/certs/root.cert --cakey ./root/keys/root.key

qrkourier commented 3 months ago

I encountered this problem again today and it was necessary to use cURL to fetch the re-usable JWT for autoca enrollments.