Hi! We have deployed fleet server on https endpoint with SSL certificates, on server side fleet is properly configured on HTTPS endpoint and we don't have any issues while accessing it but when windows and linux clients are trying to communicate with the fleet server on https endpoint, we are seeing this error in the orbit logs on client side " Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: verify certificate: x509: cannot validate". We are suspecting our geolocation-ip is also not working because of this that's what we are suspecting but not sure. Can anyone suggest how to implement it properly?

I can think of 2 things that it could be. 1. Your certificate is not included with orbit/osquery. You should make sure that your certificate or CA is included when you configure your installer. 2. Your certificate is not configured in your load balancer/reverse proxy/Fleet web server. Make sure your certificate is configured on whatever your orbit agents would connect to.

Just to add to point one, you might need to have a combined cert that has your CA and intermediary cert as well, that is what we had to do.

ah yes I forgot about that, and you have to make sure they are in the right order as well

Alright! thanks for your help let you know after cross checked the things

You can also add the

--tls-dump

and

--verbose

flags to osquery to get more detailed logging.

alright