I’m running ziti router run on pfSense (FreeBSD) and I can’t use any CloudZiti VM or container or package, so I need the ctrl.endpoint value for my router’s config.yml for my CloudZiti network for which I chose the custom DNS ziti.example.com when I first created it.
I’m using a fictitious DNS and IP in this report.
I found some hints in https://support.netfoundry.io/hc/en-us/articles/360044772432-How-to-Manually-Configure-an-Edge-Router, but it’s missing this detail about the endpoint.
I used this test to make sure I have the correct address, but the router is not working:
# same result for DNS:443 and IP:443
❯ openssl s_client -connect ziti.example.com:443 -alpn ziti-ctrl <>/dev/null |& openssl x509 -noout -subject
subject=C = US, ST = NC, L = Charlotte, O = NetFoundry, OU = AdvDev, CN = 1.8.2.96
I tried these two values based on the above.
ctrl:
endpoint: "tls:1.8.2.96:443"
and
ctrl:
endpoint: "tls:ziti.example.com:443"
I get the same errors for either value from ziti router run:
[ 1.378] ERROR ziti/router/env.(*networkControllers).connectToControllerWithBackoff.func2: {error=[error connecting ctrl (remote error: tls: error decrypting message)] endpoint=[tls:1.8.2.96:443]} unable to connect controller
[ 1.677] ERROR ziti/router/env.(*networkControllers).connectToControllerWithBackoff.func2: {endpoint=[tls:1.8.2.96:443] error=[error connecting ctrl (remote error: tls: error decrypting message)]} unable to connect controller
I could not find the port info in the console under “firewall info,” but I found in the support article linked in the console that routers also use port 6262.
I get a different server cert from that address, but I don’t recognize the subject’s common name, and I get the same errors from ziti router run if I use that address.
❯ openssl s_client -connect ziti.example.com:6262 <>/dev/null |& openssl x509 -noout -subject
subject=C = US, ST = NC, L = Charlotte, O = NetFoundry, OU = Ziti, CN = IvJNnCgb-F
Thanks for the guidance! I couldn’t think of anything else to try. 