https://github.com/osquery/osquery logo
Title
s

Sebastiaan

05/24/2023, 3:15 PM
so these are the steps I did: • installed the server on k8s • used the following the command locally to generate a package:
fleetctl package --type=pkg --fleet-url=<https://URLHERE> --enroll-secret=SECRETHERE --fleet-certificate=tls.pem --identifier="com.identifier.here"
• Install the resulting package on a macbook • Enable the verbose flag, manually, in the osquery.flags file on that macbook
l

Lucas Rodriguez

05/24/2023, 3:15 PM
Please do take a look in
/var/log/orbit/orbit.stderr.log
in the macbook
That holds the orbit+osquery logs in the device.
s

Sebastiaan

05/24/2023, 3:21 PM
well now i found it
certificate signed by unknown authority
l

Lucas Rodriguez

05/24/2023, 3:22 PM
If you are trying/testing Fleet (not production), try with
--insecure
and removing the
--fleet-certificate
flag when running the
fleetctl package
command and re-install.
s

Sebastiaan

05/24/2023, 3:23 PM
so upon reading the documentation, this is because the hostname of the server is not in the common name field of the certificate? we use a wildcard certificate for this setup
l

Lucas Rodriguez

05/24/2023, 3:25 PM
Try with
curl
using such
tls.pem
and connecting to Fleet to troubleshoot any certificate issues.
this is because the hostname of the server is not in the common name field of the certificate? we use a wildcard certificate for this setup
Sounds like it.
s

Sebastiaan

05/24/2023, 3:32 PM
so @Lucas Rodriguez I rebuilt the package, with the -insecure flag
and without the cert
and I still get the exact same error
I see this:
l

Lucas Rodriguez

05/24/2023, 3:33 PM
OK, please try uninstalling the package this way: https://github.com/fleetdm/fleet/blob/main/orbit/tools/cleanup/cleanup_macos.sh Then installing the new package again.
s

Sebastiaan

05/24/2023, 3:34 PM
2023-05-24T17:33:15+02:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: verify certificate: x509: certificate signed by unknown authority"
2023-05-24T17:33:15+02:00 INF token rotation is enabled
2023-05-24T17:33:16+02:00 INF using insecure TLS proxy addr=localhost:59598 target=<https://fleet.security.pleo.io>
and then this in the logs:
I0524 17:33:47.612071 1885122560 tls.cpp:263] TLS/HTTPS POST request to URI: <https://localhost:59598/api/v1/osquery/distributed/read>
I0524 17:33:47.860929 1885122560 distributed.cpp:173] Executing distributed query: fleet_distributed_query_6: SELECT * FROM osquery_info;
I0524 17:33:47.862823 1885122560 tls.cpp:263] TLS/HTTPS POST request to URI: <https://localhost:59598/api/v1/osquery/distributed/write>
l

Lucas Rodriguez

05/24/2023, 3:34 PM
OK, that might be expected. Can you try running a live query now?
s

Sebastiaan

05/24/2023, 3:34 PM
Well, I used that exact uninstall script
to remove everything before reinstalling
l

Lucas Rodriguez

05/24/2023, 3:34 PM
2023-05-24T17:33:15+02:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: verify certificate: x509: certificate signed by unknown authority"
This might be an expected log, but things should work now.
s

Sebastiaan

05/24/2023, 3:35 PM
now I am back to the websocket issue on k8s it seems