https://github.com/osquery/osquery logo
Join Slack
Powered by
Testing out Fleet Desktop and it has been stuck on...
# fleet
r
Testing out Fleet Desktop and it has been stuck on initialing for the past 24 hours. I've restarted, am running MacOS 12.5 and have Fleet 4.18 installed that I generated an install package from.
k
Hi @Ryan ! Are you seeing any errors in the Fleet server logs? And is the host showing as enrolled in Fleet?
r
Different ryan 😄
oh wow it seems Slack has case-sensitive handles 😄
k
Sorry about that!
r
Host is showing as active and checking in. This is what I have for entries in my fleet-error.log
Copy code
{
  "component": "http",
  "err": "stream error: stream ID 1; INTERNAL_ERROR",
  "level": "info",
  "path": "/api/v1/osquery/distributed/write",
  "ts": "2022-05-23T19:58:24.163637593Z"
}
Copy code
{
  "component": "http",
  "err": "authentication error: find host: timestamp: 2022-05-23T19:58:25Z: context canceled",
  "level": "info",
  "path": "/api/v1/osquery/distributed/write",
  "ts": "2022-05-23T19:58:25.893806126Z"
}
Copy code
{
  "component": "http",
  "err": "timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || getting app config: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
  "ingestion-err": "ingest detail query: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
  "ip_addr": "x.x.x.x",
  "level": "error",
  "method": "POST",
  "took": "32.13412499s",
  "ts": "2022-05-23T19:57:19.197367632Z",
  "uri": "/api/v1/osquery/distributed/write",
  "x_for_ip_addr": "x.x.x.x"
}
Also hi @Ryan 👋🤣
k
Thanks! Anything interesting in the Orbit logs on the host? 
/private/var/log/orbit/orbit.std{out|err}.log
.
And was the host previously enrolled?
r
yes it was with plain osquery but I deleted it before installing the orbit package
A couple items in the err log but host shows it's checked in 15 min ago.
Copy code
2022-08-02T13:51:52-05:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: dial tcp: address <http://fleet.host.com|fleet.host.com>: missing port in address"
Copy code
2022-08-02T13:51:52-05:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.host.com|fleet.host.com> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs /opt/orbit/fleet.pem --force --flagfile /opt/orbit/osquery.flags"
2022-08-02T13:51:52-05:00 INF opening path="/opt/orbit/bin/desktop/macos/stable/Fleet <http://Desktop.app|Desktop.app>"
k
Just for the sake of going about it scientifically, can you cleanup the install and see if the host still reports back? I'm wondering if osquery might not be fully removed and is still reporting.
z
Check the logs in 
tail ~/Library/Logs/Fleet/fleet-desktop.log
as well (@Kathy Satterlee can you please add this to the docs somewhere?)
r
Copy code
022-08-03T11:19:01-05:00 ERR get device URL error="GET /api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies: Get \"<https://fleetdm.host.com/api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies>\": x509: certificate relies on legacy Common Name field, use SANs instead"
k
It looks like the certificate you're using is incompatible with the current version of go. You'll need a certificate with a Subject Alternate Name to use with Fleet. Here's some more detailed information: https://jfrog.com/knowledge-base/general-what-should-i-do-if-i-get-an-x509-certificate-relies-on-legacy-common-name-field-error/
2 Views
Open in Slack
PreviousNext
Powered by