https://github.com/osquery/osquery logo
Join Slack
Powered by
My osquery doesnot connect to the fleet when i hav...
# fleet
o
My osquery doesnot connect to the fleet when i have my netskope turned on. if i turn it off then i see the host online. It throws certificate verification failed error. Any help on it? FYI Curl command works just fine even if netskope is on.
j
are you specifying your wildcard cert explicitly in the osquery flags (or orbit package options?)
z
Sounds like maybe netskope is man-in-the-middling your TLS? Do you need to provide netskope's certificate to osquery?
o
@Jason no i am not providing anything in osquery flag file i just pickup the query from fleet and create the package.
@zwass no i dont. But for my previous deployment by ec2 i did not provide it and all worked. So now i have 1000+ agents on that platform and if i have to switch to ecs then i dont want to install all agents again just because of a cert 😞 it worked earlier
z
You need to either use a certificate that is recognized by the built in cert bundle, or you need to provide it to osquery for validation.
o
to osquery you mean when creating agent? or in the fleet server somewhere?
oh btw i am using a cert from aws
z
Are you using Orbit or regular osquery?
o
orbit
z
AWS certificates definitely work with the built-in certificate in Orbit, so you can leave 
--fleet-certificate
empty when creating packages. If you did specify 
--fleet-certificate
, you need to make sure the certificate doesn't change (or is still trusted by the cert chain you provide to that flag). If it only works when netskope is off, I assume that's because netskope is MITMing your TLS traffic and using a different certificate that doesn't verify.
o
fleetctl package --type=pkg --fleet-url=https://fleetnew.tpsec.co --enroll-secret=* i dont specify fleet cert at all. this is what i use. Also it works when i use the insecure package. So what if i stick to insecure how much harm can that do?
z
If you use 
--insecure
then your agents could be communicating with any server, because it skips the certificate validation. Definitely do not recommend for production.
o
Alright so my only option is to specify the netskop cert but is there any way i can specify a cert without building new agents and installing them? like can i keep the old agents and update them to use cert :?
z
If you have some way to overwrite the files, you could write the appropriate certificates to 
/opt/orbit/certs.pem
.
o
thanks for your time @zwass let me try it our
though i am curious how it worked earlier and not now. netskope is same 😆
Open in Slack
PreviousNext
Powered by