Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Sebastiaan
05/24/2023, 3:15 PMso these are the steps I did:
• installed the server on k8s
• used the following the command locally to generate a package:
fleetctl package --type=pkg --fleet-url=<https://URLHERE> --enroll-secret=SECRETHERE --fleet-certificate=tls.pem --identifier="com.identifier.here"l
Lucas Rodriguez
05/24/2023, 3:15 PMPlease do take a look in
/var/log/orbit/orbit.stderr.logThat holds the orbit+osquery logs in the device.
s
Sebastiaan
05/24/2023, 3:21 PMwell now i found it
certificate signed by unknown authority
l
Lucas Rodriguez
05/24/2023, 3:22 PMIf you are trying/testing Fleet (not production), try with
--insecure--fleet-certificatefleetctl packages
Sebastiaan
05/24/2023, 3:23 PMso upon reading the documentation, this is because the hostname of the server is not in the common name field of the certificate? we use a wildcard certificate for this setup
l
Lucas Rodriguez
05/24/2023, 3:25 PMTry with
curltls.pemthis is because the hostname of the server is not in the common name field of the certificate? we use a wildcard certificate for this setupSounds like it.
s
Sebastiaan
05/24/2023, 3:32 PMso @Lucas Rodriguez I rebuilt the package, with the -insecure flag
and without the cert
and I still get the exact same error
I see this:
l
Lucas Rodriguez
05/24/2023, 3:33 PMOK, please try uninstalling the package this way: https://github.com/fleetdm/fleet/blob/main/orbit/tools/cleanup/cleanup_macos.sh
Then installing the new package again.
s
Sebastiaan
05/24/2023, 3:34 PM2023-05-24T17:33:15+02:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: verify certificate: x509: certificate signed by unknown authority"
2023-05-24T17:33:15+02:00 INF token rotation is enabled
2023-05-24T17:33:16+02:00 INF using insecure TLS proxy addr=localhost:59598 target=<https://fleet.security.pleo.io>and then this in the logs:
I0524 17:33:47.612071 1885122560 tls.cpp:263] TLS/HTTPS POST request to URI: <https://localhost:59598/api/v1/osquery/distributed/read>
I0524 17:33:47.860929 1885122560 distributed.cpp:173] Executing distributed query: fleet_distributed_query_6: SELECT * FROM osquery_info;
I0524 17:33:47.862823 1885122560 tls.cpp:263] TLS/HTTPS POST request to URI: <https://localhost:59598/api/v1/osquery/distributed/write>l
Lucas Rodriguez
05/24/2023, 3:34 PMOK, that might be expected. Can you try running a live query now?
s
Sebastiaan
05/24/2023, 3:34 PMWell, I used that exact uninstall script
to remove everything before reinstalling
l
Lucas Rodriguez
05/24/2023, 3:34 PM2023-05-24T17:33:15+02:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: verify certificate: x509: certificate signed by unknown authority"This might be an expected log, but things should work now.
s
Sebastiaan
05/24/2023, 3:35 PMnow I am back to the websocket issue on k8s it seems