From 33145d87d1ce010994428a721a84cfd10c71eb06 Mon Sep 17 00:00:00 2001 From: seantechco Date: Fri, 20 Mar 2026 12:34:27 -0700 Subject: [PATCH] fix: use system CAs during OIDC enrollment When enrolling via URL (-u), the SDK downloads the Ziti internal CA from /.well-known/est/cacerts, then creates a TLS context trusting ONLY that CA. This breaks reconnection to the enrollment endpoint when it uses a publicly-trusted certificate (e.g., Let's Encrypt behind a reverse proxy). The fix: use the system CA bundle (NULL) during enrollment so the SDK can verify both publicly-trusted enrollment endpoints and Ziti internal CA endpoints discovered via /version. The Ziti CA is still saved in the identity config for post-enrollment runtime use. Fixes enrollment failures in split-endpoint deployments where: - enroll.example.com presents a Let's Encrypt cert - ziti.example.com presents a Ziti internal CA cert - Both are discovered via /version apiBaseUrls Co-Authored-By: Claude Opus 4.6 (1M context) --- library/ziti_enroll.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/library/ziti_enroll.c b/library/ziti_enroll.c index bf7fdcd7..996c6db4 100644 --- a/library/ziti_enroll.c +++ b/library/ziti_enroll.c @@ -400,7 +400,11 @@ static void well_known_certs_cb(char *base64_encoded_pkcs7, const ziti_error *er ziti_ctrl_close(&er->controller); er->tls->free_ctx(er->tls); - er->tls = default_tls_context(er->cfg.id.ca, strlen(er->cfg.id.ca)); + // Use system CA bundle during enrollment so we can verify both: + // - publicly-trusted enrollment endpoints (Let's Encrypt) + // - Ziti internal CA endpoints (discovered via /version) + // The Ziti CA is already saved in er->cfg.id.ca for the identity file. + er->tls = default_tls_context(NULL, 0); ziti_ctrl_init(er->loop, &er->controller, &er->cfg.controllers, er->tls); switch (er->enrollment.method) {