My osquery doesnot connect to the fleet when i have my netsk

Question

My osquery doesnot connect to the fleet when i have my netskope turned on if i turn it off then i see the host online It throws certificate verification failed error Any help on it FYI Curl command works just fine even if netskope is on

Jason · Answer

are you specifying your wildcard cert explicitly in the osquery flags or orbit package options

zwass · Answer

Sounds like maybe netskope is man in the middling your TLS Do you need to provide netskope s certificate to osquery

Ojas · Answer

< Jason> no i am not providing anything in osquery flag file i just pickup the query from fleet and create the package

Ojas · Answer

< zwass> no i dont But for my previous deployment by ec2 i did not provide it and all worked So now i have 1000+ agents on that platform and if i have to switch to ecs then i dont want to install all agents again just because of a cert disappointed it worked earlier

zwass · Answer

You need to either use a certificate that is recognized by the built in cert bundle or you need to provide it to osquery for validation

Ojas · Answer

to osquery you mean when creating agent or in the fleet server somewhere

Ojas · Answer

oh btw i am using a cert from aws

zwass · Answer

Are you using Orbit or regular osquery

Ojas · Answer

orbit

zwass · Answer

AWS certificates definitely work with the built in certificate in Orbit so you can leave ` fleet certificate` empty when creating packages If you did specify ` fleet certificate` you need to make sure the certificate doesn t change or is still trusted by the cert chain you provide to that flag If it only works when netskope is off I assume that s because netskope is MITMing your TLS traffic and using a different certificate that doesn t verify

Ojas · Answer

fleetctl package type=pkg fleet url=<https fleetnew tpsec co> enroll secret= i dont specify fleet cert at all this is what i use Also it works when i use the insecure package So what if i stick to insecure how much harm can that do

zwass · Answer

If you use ` insecure` then your agents could be communicating with any server because it skips the certificate validation Definitely do not recommend for production

Ojas · Answer

Alright so my only option is to specify the netskop cert but is there any way i can specify a cert without building new agents and installing them like can i keep the old agents and update them to use cert

zwass · Answer

If you have some way to overwrite the files you could write the appropriate certificates to ` opt orbit certs pem`

Ojas · Answer

thanks for your time < zwass> let me try it our

Ojas · Answer

though i am curious how it worked earlier and not now netskope is same laughing