Mike S.

03/21/2023, 8:17 PM
Hi Team - long question here: We are planning to use this infrastructure - Client-->Cloudflare-->Elastic Load Balancer-->Fleet Server The server is named with its own self-signed cert. The client will reach out to Cloudflare with the certificate for then Cloudflare will proxy the traffic to the load balancer, which will send the traffic to the Fleet server. The question is - when generating packages for client distribution, which certificate would I use so that the client can successfully communicate with the Fleet server? Second question: Can certificate bundles be used in the package distribution?

Marcos Oviedo

03/22/2023, 2:02 PM
Hey Mike, you can use
when using self-signed or certificate bundles. You need to pass one of these options to fleetctl when generating orbit installers. You can find more information about this here.

Mike S.

03/22/2023, 2:57 PM
Thanks Marcos! So would we use the self-signed cert for the client-->server connection? My concern is that due to the above infrastructure, the client won't be able to connect to the server due to the Cloudflare name vs the server name and intermediate certs.

Daniel Cross

03/23/2023, 3:15 AM
You wouldn’t need to specify a cert as TLS termination is on cloudflare using a CA-signed cert. Just
If you’ve got self-signed cert somehow loaded into cloudflare, which I don’t think is possible, you’d specify that certificate.