Title
#fleet
o

Ojas

08/23/2022, 7:58 AM
My osquery doesnot connect to the fleet when i have my netskope turned on. if i turn it off then i see the host online. It throws certificate verification failed error. Any help on it? FYI Curl command works just fine even if netskope is on.
j

Jason

08/23/2022, 11:52 AM
are you specifying your wildcard cert explicitly in the osquery flags (or orbit package options?)
zwass

zwass

08/23/2022, 3:22 PM
Sounds like maybe netskope is man-in-the-middling your TLS? Do you need to provide netskope's certificate to osquery?
o

Ojas

08/23/2022, 3:45 PM
@Jason no i am not providing anything in osquery flag file i just pickup the query from fleet and create the package.
3:46 PM
@zwass no i dont. But for my previous deployment by ec2 i did not provide it and all worked. So now i have 1000+ agents on that platform and if i have to switch to ecs then i dont want to install all agents again just because of a cert 😞 it worked earlier
zwass

zwass

08/23/2022, 3:48 PM
You need to either use a certificate that is recognized by the built in cert bundle, or you need to provide it to osquery for validation.
o

Ojas

08/23/2022, 3:49 PM
to osquery you mean when creating agent? or in the fleet server somewhere?
3:50 PM
oh btw i am using a cert from aws
zwass

zwass

08/23/2022, 3:50 PM
Are you using Orbit or regular osquery?
o

Ojas

08/23/2022, 3:50 PM
orbit
zwass

zwass

08/23/2022, 3:52 PM
AWS certificates definitely work with the built-in certificate in Orbit, so you can leave
--fleet-certificate
empty when creating packages. If you did specify
--fleet-certificate
, you need to make sure the certificate doesn't change (or is still trusted by the cert chain you provide to that flag). If it only works when netskope is off, I assume that's because netskope is MITMing your TLS traffic and using a different certificate that doesn't verify.
o

Ojas

08/23/2022, 3:53 PM
fleetctl package --type=pkg --fleet-url=https://fleetnew.tpsec.co --enroll-secret=* i dont specify fleet cert at all. this is what i use. Also it works when i use the insecure package. So what if i stick to insecure how much harm can that do?
zwass

zwass

08/23/2022, 3:54 PM
If you use
--insecure
then your agents could be communicating with any server, because it skips the certificate validation. Definitely do not recommend for production.
o

Ojas

08/23/2022, 3:56 PM
Alright so my only option is to specify the netskop cert but is there any way i can specify a cert without building new agents and installing them? like can i keep the old agents and update them to use cert :?
zwass

zwass

08/23/2022, 3:57 PM
If you have some way to overwrite the files, you could write the appropriate certificates to
/opt/orbit/certs.pem
.
o

Ojas

08/23/2022, 3:58 PM
thanks for your time @zwass let me try it our
3:59 PM
though i am curious how it worked earlier and not now. netskope is same 😆