I will describe what I did step by step:
1. I depl...
# generalj
jimmy
08/25/2022, 12:14 PMI will describe what I did step by step:
1. I deployed a fleet pod webserver
2. I created an self singed certificate, a crt and key.
3. I created an ingress to enable tls termination to the pod with the self singed certificate.
4. when I enter to the node that I terminate tls it said that the connection is secured, and that the certificate is ok
5. then I tried to connect my osquery agent with the .crt file that I created at step 2 and when I run osqueried --verbose i get the error "certificate verify failed:
s
Stefano Bonicatti
08/25/2022, 12:22 PMAs Sharvil was correctly saying, osquery requires the full chain of certificates that verifies that your certificate is valid.
This means that you have to provide a certificate bundle (a merge of multiple certificates), containing the certificate (CAs) that signed that certificate and so on, until the chain of certificates stops.
Stefano Bonicatti
08/25/2022, 12:23 PMthat’s what has to be provided via
--tls_server_certsj
jimmy
08/25/2022, 12:25 PMbut I gave this flag --tls_server_certs the .crt file that I created at step 2
s
Stefano Bonicatti
08/25/2022, 12:26 PMYeah but that’s not the CA, that’s the end certificate that needs to be verified
Stefano Bonicatti
08/25/2022, 12:27 PMYou create another certificate, .pem or similar, to self-sign that one. That’s what need to be provided
j
jimmy
08/25/2022, 12:27 PMthe .crt file is already at .pem format
s
Stefano Bonicatti
08/25/2022, 12:32 PMThat’s not what I’m saying, but I think I’m wrongly assuming a step has been done.
A self-signed certificate alone won’t work; you need to first create a self-signed CA (Certificate Authority), and then with that sign a certificate to be used by the server.
Then you can pass the CA to osquery
Stefano Bonicatti
08/25/2022, 12:33 PMSo there needs to be a second certificate (the CA or a chain of them), that verifies that the certificate you use for the fleet server is valid
Stefano Bonicatti
08/25/2022, 12:44 PM(and sorry for the confusion on the wording, a self-signed certificate is indeed not signed by any CA, even if that CA is in turn self-signed. I was conflating two things)
j
jimmy
08/25/2022, 1:10 PMI have already a CA that is trusted by my network
s
Stefano Bonicatti
08/25/2022, 1:12 PMBut has that CA signed the certificate you were trying to use? And are you passing that CA certificate to osquery?
Stefano Bonicatti
08/25/2022, 1:14 PMThat’s what I’m saying, you need a CA certificate (from a real authority or self-signed) to sign the certificate you use for Fleet. Then you pass that CA (or the whole chain of them) to osquery, so that osquery can verify that the certificate you have given to Fleet is valid.
Stefano Bonicatti
08/25/2022, 1:17 PMSaid in a different way: you should not pass the certificate you give to Fleet to osquery, osquery doesn’t automatically accepts the certificate that Fleet sends just because it matches what you’ve given via
--tls_server_certsStefano Bonicatti
08/25/2022, 1:23 PMAlso, osquery doesn’t use the system certificate store to authenticate certificates, which is why you have to pass a separate bundle of CAs via the above flag.
j
jimmy
08/25/2022, 1:32 PMim sorry had a mistake it is not self singed
jimmy
08/25/2022, 1:32 PMthe ca singed that certificate
jimmy
08/25/2022, 1:41 PMi mean i have a ca that is trusted by my network taht can sing certificates
jimmy
08/25/2022, 1:41 PMit has been already used in the past to enroll to the fleet and it worked
2 Views