Title
#fleet
j

Joe

08/05/2022, 6:52 PM
Has anyone else encountered the message below? This comes up when i execute
osqueryi
on a host. I can query the host from Fleet just fine but i find it odd that i get this message.
W0805 11:47:50.721536  1194 tls_enroll.cpp:101] Failed enrollment request to <https://servername> (Cannot parse JSON: Invalid value. Offset: 0) retrying...
Kathy Satterlee

Kathy Satterlee

08/05/2022, 7:10 PM
Hi, @Joe ! Can you share the full url shown there? You can totally edit the domain, but I'd like to see the endpoint it's trying to hit.
7:10 PM
Or is it just showing the domain?
7:11 PM
And are you using Orbit to enroll your hosts, or vanilla osquery?
j

Joe

08/05/2022, 7:14 PM
It just showing the domain name and we're using vanilla osquery
Kathy Satterlee

Kathy Satterlee

08/05/2022, 7:24 PM
It sounds like there's an issue with the osquery flags. It's interesting that it's communicating with Fleet in general... it could be that the flags changed after the initial enrollment. Do you have anything set for
--enroll_tls_endpoint
?
7:27 PM
Should be
--enroll_tls_endpoint=/api/v1/osquery/enroll
j

Joe

08/05/2022, 7:35 PM
This is the current flags we have configured
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--enroll_secret_path=/var/osquery/enroll_secret
--enroll_tls_endpoint=/api/v1/osquery/enroll
--logger_plugin=filesystem,tls
--logger_event_type=false
--logger_path=/var/log/osquery
--logger_stderr=false
--tls_hostname=<%= @servername %>
--tls_server_certs=/var/osquery/osquery.pem
7:46 PM
Interesting, i get this when i specify the flagfile
[user@server ~]$ osqueryi --flagfile=/etc/osquery/osquery.flags --verbose --tls_dump

{
  "error": "enroll failed: no matching secret found",
  "node_invalid": true
}
Kathy Satterlee

Kathy Satterlee

08/05/2022, 7:48 PM
You beat me to the
--verbose --tls_dump
7:50 PM
If you compare the
enroll_secret
in
/var/osquery/enroll_secret
to the one displayed in Fleet, does it look good?
j

Joe

08/05/2022, 7:52 PM
Yeah, it matches
Benjamin Edwards

Benjamin Edwards

08/05/2022, 7:58 PM
Copy paste some funny character or white space?
j

Joe

08/05/2022, 8:03 PM
I'll double check
8:30 PM
I believe i may have found the issue. I ran it as root with the flagfile and enroll secret and i was able to execute
osqueryi
. Looking at the permission, the enroll_secret file had a 400 permission so i wasn't able to read it under my account
Kathy Satterlee

Kathy Satterlee

08/05/2022, 8:30 PM
Nice find!