Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509: <certname> certificate is not trusted error on MacOS 13 #25

Closed
potto007 opened this issue Jan 13, 2023 · 3 comments
Closed

x509: <certname> certificate is not trusted error on MacOS 13 #25

potto007 opened this issue Jan 13, 2023 · 3 comments

Comments

@potto007
Copy link
Contributor

potto007 commented Jan 13, 2023
edited
Loading

Summary:

When attempting to login to sshd via a ziti tunnel from MacOS, receives a "certificate not trusted" error.

Steps to reproduce:

  1. Create a client identity
  2. Download the client's jwt to MacOS
  3. Run zssh enroll -c ~/.ziti -v ~/Downloads/zsshClient.jwt -o ~/.ziti/zssh.json
  4. Run zssh -d -i ~/.ssh/<pemfile> ec2-user@zsshServer

Expected results:

INFO 	      username set to: ec2-user
INFO 	targetIdentity set to: zsshServer
connected.

Actual results:

INFO 	      username set to: ec2-user
INFO 	targetIdentity set to: zsshServer
INFO 	connection to edge router using api session token da064f00-5cb8-4a92-bc73-84339e75bc13
ERROR	x509: “i-07fab813c818929f6-signing-intermediate” certificate is not trusted

Details:

I spent a couple of days familiarizing myself with the sdk codebase responsible for enrollment and for connection. I setup a debugger config in Jetbrains Goland to replay the events leading up to failure. I found that the Go std library was where the error was being thrown, due to the cert's signer not being recognized. Reading through the enrollment codebase, it appeared that remote CAs should be pulled down, but were only pulled when the client specified custom CAs. Given the behavior on Windows, and the behavior of the Ziti Desktop Edge client - whereby the zero trust PKI is inherently trusted - I changed the local copy of [email protected]/ziti/enroll/enroll.go to always pull down the CA bundle during enrollment. This immediately fixed the issue I was observing. Upon preparing to create a PR for sdk-golang, I found the same thing I had done was already performed a month ago with this commit: openziti/sdk-golang@574fcf1 made with this PR openziti/sdk-golang#342. Given that fix, I merely had to update zssh to pull in the latest versions of the dependencies.

Fixed by:

#24
@dovholuknf
Copy link
Member

closes #24

@dovholuknf
Copy link
Member

don't know if you use the released versions or build yourself. new tag here with binaries: https://github.com/openziti-test-kitchen/zssh/releases/tag/0.0.15

@potto007
Copy link
Contributor Author

Thanks! I try to use released versions of projects when I can, and definitely need to before I demo this environment for architecture review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@potto007 @dovholuknf