Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enroll with 3rd party CA #528

Closed
dovholuknf opened this issue Oct 19, 2022 · 0 comments
Closed

enroll with 3rd party CA #528

dovholuknf opened this issue Oct 19, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@dovholuknf
Copy link
Member

See discourse thread https://openziti.discourse.group/t/using-ziti-edge-tunnel-enroll/820

User was using ziti-edge-tunnel to enroll an identity from a 3rd party CA receiving error shown. Using the ziti CLI enroll command succeeds (see discourse for example)

[        0.000]   ERROR ziti-sdk:ziti_enroll.c:131 ziti_enroll() /home/runner/work/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:115 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1989 enroll_cb() enrollment failed: enroll failed(-9)

Steps to reproduce:

-- MAKE SURE YOU SET THIS --

edge_controller_uri=https://localhost:8441

login somehow. If you used quickstart you can use zitiLogin

zitiLogin

Assign your token to zt_session

# use your env file to get a zt_session header - used for curls below
zt_session=$(jq -r .edgeIdentities.default.token $ZITI_HOME/ziti-cli.json)

generate a new CA

ca_name="new_ca_$(date +"%H%M%S")"
ca_dir="${ZITI_PKI}/${ca_name}"
caCert="$ZITI_PKI/${ca_name}/certs/${ca_name}.cert"
caKey="$ZITI_PKI/${ca_name}/keys/${ca_name}.key"

### create the PKI using the CLI
ziti pki create ca \
    --pki-root="${ZITI_PKI}" \
    --ca-file "${ca_name}" \
    --ca-name "${ca_name}"

make the ca to test with

ziti edge create ca $ca_name $caCert --autoca --ottca --auth

ca_id=$(ziti edge list cas 'name = "'"$ca_name"'"' -j | jq -r .data[].id)
ca_verification_token=$(ziti edge list cas 'name = "'"$ca_name"'"' -j | jq -r .data[].verificationToken)

cat <<HERE
CERT INFO
----------------------------------
    New CA name    : ${ca_name}
    New CA dir     : ${ca_dir}
    New CA cert at : ${caCert}
    New CA key at  : ${caKey}
    New CA id      : ${ca_id}
HERE

create a 3rd party CA

ziti pki create client \
    --pki-root="${ZITI_PKI}" \
    --ca-name=${ca_name} \
    --client-name=${ca_verification_token} \
    --client-file=${ca_verification_token}
    
path_to_verificationToken_cert="$ZITI_PKI/${ca_name}/certs/${ca_verification_token}.cert"
echo "New client lives at   : ${path_to_verificationToken_cert}"

demonstrate it's not verified yet

ziti edge list cas 'name = "'"$ca_name"'"'

verify the CA

# submit the client cert to the proper endpoint using --data-binary
result=$(curl -vsk \
  -X POST \
  -H "Content-Type: text/plain" \
  -H "zt-session: ${zt_session}" \
  "${edge_controller_uri}/edge/management/v1/cas/${ca_id}/verify" \
  --data-binary @${path_to_verificationToken_cert} \
)

verify the CA is now 'V'erified

ziti edge list cas 'name = "'"$ca_name"'"'

Make a new identity to enroll

# set your identity name. this is VITAL you need to use the format of "[caName]-[commonName]
# you can see when looking at the json that this is output:
#      "identityNameFormat": "[caName]-[commonName]",
# this was my missing step. presenting a cert that doesn't match this pattern makes it fail to auth      
identity_name="${ca_name}-ca_id_$(date +"%H%M%S")"

echo "New Identity named: ${identity_name}"

ziti pki create client \
    --pki-root="${ZITI_PKI}" \
    --ca-name=${ca_name} \
    --client-name=${identity_name} \
    --client-file=${identity_name}

# create a new identity - I couldn't find a 'ziti cli' nor 'ZAC' way of doing this. Needed to use the API
identity_id=$(curl -sk \
    -H "Content-Type: application/json" \
    -H "zt-session: ${zt_session}" \
    "${edge_controller_uri}/edge/management/v1/identities" \
    -d '{ "name": "'"${identity_name}"'", "type": "User", "isAdmin":false, "enrollment": { "ottca": "'"${ca_id}"'" } }' \
    | jq -j '.data.id'
    )

jwt_file="${ZITI_PKI}/${identity_name}.jwt"
echo "Third Party OTT identity created. ID: ${identity_id}"

get the jwt from the controller - used to enroll...

curl -sk -H "Content-Type: application/json" \
     -H "zt-session: ${zt_session}" \
     "${edge_controller_uri}/edge/management/v1/identities/${identity_id}" \
     | jq -j .data.enrollment.ottca.jwt > ${jwt_file}
     
echo "using jwt at ${jwt_file} to enroll"

# you need the CA bundle in order to enroll - this command grabs the ca bundle
curl -sk ${edge_controller_uri}/.well-known/est/cacerts > ${ZITI_PKI}/fetched-ca-certs.p7
openssl base64 -d -in ${ZITI_PKI}/fetched-ca-certs.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${ZITI_PKI}/fetched-ca-certs.pem
identity_full_ca_path="${ZITI_PKI}/fetched-ca-certs.pem"

actually enroll the identity -- failure

~/ziti-edge-tunnel enroll \
    --jwt "${jwt_file}" \
    --identity "$ZITI_PKI/$ca_name/keys/${identity_name}.json" \
    --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
    --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
    --name "${identity_name}"

actually enroll the identity

ziti edge enroll \
    --jwt "${jwt_file}" \
    --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
    --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
    --idname "${identity_name}" \
    --ca "${identity_full_ca_path}" \
    --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dovholuknf