Hi Team - long question here: We are planning to use this infrastructure - Client-->Cloudflare-->Elastic Load Balancer-->Fleet Server The server is named fleet.it.example.com with its own self-signed cert. The client will reach out to Cloudflare with the certificate for fleet.example.com then Cloudflare will proxy the traffic to the load balancer, which will send the traffic to the Fleet server. The question is - when generating packages for client distribution, which certificate would I use so that the client can successfully communicate with the Fleet server? Second question: Can certificate bundles be used in the package distribution?

Hey Mike, you can use

--insecure

or

--fleet-certificate

when using self-signed or certificate bundles. You need to pass one of these options to fleetctl when generating orbit installers. You can find more information about this here.

Thanks Marcos! So would we use the self-signed cert for the client-->server connection? My concern is that due to the above infrastructure, the client won't be able to connect to the server due to the Cloudflare name vs the server name and intermediate certs.

You wouldn’t need to specify a cert as TLS termination is on cloudflare using a CA-signed cert. Just

--tls_hostname=<http://fleet.example.com|fleet.example.com>

If you’ve got self-signed cert somehow loaded into cloudflare, which I don’t think is possible, you’d specify that certificate.