theopolis
--tls_server_certs
to point to a PEM bundle containing the LetsEncrypt certificate generated for your fleet instance. When you set this flag you are telling osquery to only accept server certificates signed by the authorities in that PEM bundle. So it makes sense if you are also asking osquery to connect to firehose, and Amazon's authorities are not in that bundle, thus you are receiving a certificate verification failure.
My guess is the solution is to combine the default certificate bundle osquery ships with, along with your custom certificate. You can do this by (1) copying the default certificate bundle to a new location, (2) appending the custom certificate to the end of the file, (3) setting --tls_server_certs
to the location of the new file.