Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
p
peanut butter
08/03/2022, 3:48 PMwhen I'm trying to connect osquery agent to fleet I get that error msg:
"W0803 08:45:50.922413 77924 tls_enroll.cpp:101] Failed enrollment request to https://localhost:8080/api/osquery/enroll (Request error: certificate verify failed) retrying..."
it happens after i run that command:
sudo /usr/bin/osqueryd --enroll_secret_path=/var/osquery/enroll_secret --tls_server_certs=/var/osquery/fleet.pem --tls_hostname=localhost:8080 --host_identifier=instance --enroll_tls_endpoint=/api/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/osquery/distributed/read --distributed_tls_write_endpoint=/api/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/osquery/log --logger_tls_period=10
its fleet 3.5.1 if it matters.
k
Kathy Satterlee
08/04/2022, 7:42 PMHi, @peanut butter! Are you still having trouble getting your host enrolled?
p
peanut butter
08/05/2022, 3:36 PMyes
k
Kathy Satterlee
08/05/2022, 4:01 PMAre you seeing anything in the fleet server logs when attempting to enroll?
Here's some info on common certificate issues that may be helpful as well:
https://fleetdm.com/docs/deploying/faq#how-do-i-fix-certificate-verify-failed-errors-from-osqueryd
p
peanut butter
08/05/2022, 6:09 PMim getting that log from the the fleet service:
"http: TLS handshake error from 127.0.0.1:33022: local error: tls: bad record MAC"
k
Kathy Satterlee
08/05/2022, 6:21 PMOkay. The request is at least making it that far! Sounds like there's an issue with the certificate. Did you generate that yourself for localhost?
p
peanut butter
08/06/2022, 10:48 AMim doing this by your example:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /tmp/server.key -out /tmp/server.cert -subj "/CN=192.168.52.128” \
-addext "subjectAltName=DNS:192.168.52.128”
and the other certificate I downlowd form the my fleet webserver.
k
Kathy Satterlee
08/08/2022, 2:06 PMAh! Try listing the IP as listed for the CN as the hostname.
p
peanut butter
08/09/2022, 5:41 PMwhat do you mean?
k
Kathy Satterlee
08/09/2022, 5:43 PMThe certificate is being issued using an IP address of ‘192.168.52.128’ as the CN (Common Name). Assuming that is the public IP of your Fleet server, that's what you'd need to use as the hostname passed to osquery
Or create a new certificate with ‘localhost’ as the CN if you're just testing locally.
p
peanut butter
08/10/2022, 8:12 PM