Hi there, is anyone experiencing new `bad certific...
# fleetg
Grigory Emelianov
12/12/2024, 6:26 PMHi there, is anyone experiencing new
bad certificateAug 29 09:41:11 <http://sub.domain.com|sub.domain.com> fleet[5X78X3]: 2024/08/29 09:41:11 http: TLS handshake error from XX.XX.XXX.65:XXXXX: remote error: tls: bad certificateGrigory Emelianov
12/12/2024, 6:34 PMOn the device logs I get:
Post \"<https://sub.domain.com:443>\": tls: failed to verify certificate: x509: certificate is valid for *.<http://domain.com|domain.com>, <http://domain.com|domain.com>, not <http://sub.domain.com:443|sub.domain.com:443>r
Rebecca Cowart
12/12/2024, 8:59 PM@Grigory Emelianov Hey! Can you verify that you're using sub.domain.com rather than sub.sub.domain.com?
g
Grigory Emelianov
12/12/2024, 10:02 PMThank you @Rebecca Cowart , this is correct
Grigory Emelianov
12/13/2024, 10:40 AMIt is sub.domain.com and not sub.sub.domain.com
Grigory Emelianov
12/13/2024, 11:53 AMAny update @Rebecca Cowart? We have an audit soon
r
Rebecca Cowart
12/13/2024, 2:14 PM@Grigory Emelianov Thank you for clarifying! I'm looking into this and will get back to you with more info soon.
Rebecca Cowart
12/13/2024, 2:29 PM@Grigory Emelianov Are you using a self-signed certificate?
Rebecca Cowart
12/13/2024, 2:58 PM@Grigory Emelianov Also, what version of Fleet are you running?
g
Grigory Emelianov
12/13/2024, 3:07 PM@Rebecca Cowart yes, we are using self-signed certificate from GoDaddy with EV verification. Note:
• The certificate worked for multiple month without any issues.
• Other factors:
◦ We renewed a certificate 3 months.
◦ New Sysadmin joined. Now I am getting the certificate re-keyed to exclude possible issues with it. But it would be strange since in the past month we didn't get any issues.
• Something random happened once as well: My employee who had this error re-installed the MacOs agent and suddenly she stopped getting this error.
Grigory Emelianov
12/13/2024, 4:58 PM@Rebecca Cowart another question I have is would the sync with fleet server work if I have a simple domain validation SSL certificate instead or will MacOs agent always require EV/OV SSL certificate on the server for communication?
r
Rebecca Cowart
12/13/2024, 6:25 PM@Grigory Emelianov Thank you for the info.
What version of Fleet are you running on the device that is still facing the error?
Also, Fleet does work with DV SSL certs. 🙂
g
Grigory Emelianov
12/13/2024, 7:44 PMIt’s a bit outdated, 4.8.0 or 4.8.1 I think
Grigory Emelianov
12/13/2024, 7:45 PMGreat to know about certificates! I thought MacOs agents needed EV/OV, that’s the only reason our sysadmin suggested those
r
Rebecca Cowart
12/13/2024, 9:19 PM@Grigory Emelianov Our latest version is 4.60.0. Can you check your Fleet version number again?
Rebecca Cowart
12/13/2024, 9:27 PM@Grigory Emelianov Our most recent Fleet version is 4.60.1*
g
Grigory Emelianov
12/13/2024, 11:48 PMNo, this is correct, we didn’t update in a while 😅
r
Rebecca Cowart
12/16/2024, 3:05 PM@Grigory Emelianov We recommend you upgrade to the latest version of Fleet. This would help us troubleshoot the issue effectively.
g
Grigory Emelianov
12/16/2024, 3:40 PMDo you have any SSL certificate caching on the agent side? Why I am asking: When we uninstall and re-install the agent again on the MacOs, it starts working and the error message is no longer shown in logs. But I cannot run after each employee to update reinstall again every year, it's difficult to achieve 🙂
Grigory Emelianov
12/16/2024, 5:47 PMUpdate: ❌
Got a new OV SSL certificate, installed new certificate - didn't help. Still get the same problem.
On the server side error:
Dec 16 18:36:43 <http://sub1.domain.com|sub1.domain.com> fleet[XXXXXX]: 2024/12/16 18:36:43 http: TLS handshake error from XX.XX.XXX.65:XXXXX: remote error: tls: bad certificate"Post \"<https://sub1.domain.com:443>\": tls: failed to verify certificate: x509: certificate is valid for *.<http://domain.com|domain.com>, <http://domain.com|domain.com>, not <http://sub1.domain.com:443|sub1.domain.com:443>"sudo killall -HUP mDNSResponderr
Rebecca Cowart
12/16/2024, 10:22 PM@Grigory Emelianov Is it possible that the expiry on your cert is too long? Apple has restrictions on their lifecycles now.
I will have more info on SSL caching tomorrow!
g
Grigory Emelianov
12/16/2024, 10:48 PM@Rebecca Cowart It's the standard 1 year expiration. Right now we updated to new OV SSL that expires in Jan 2026. Even if I buy it for 3 years, we have to renew annually.
New observation: We noticed that all of MacOs agents are still reporting back whenever the osquery version is 5.9.1 (2023) but most of 5.14.1 agents stopped reporting back around beginning of December 2024. I need to check how they became updated to new version but I assume it's the auto-update.
r
Rebecca Cowart
12/18/2024, 7:19 PM@Grigory Emelianov Looking back at this statement, I am confused. Is your certificate self-signed, or is it an EV certificate?
we are using self-signed certificate from GoDaddy with EV verification
g
Grigory Emelianov
12/18/2024, 7:49 PMSorry for confusion, it’s OV certificate by Godaddy, not self-signed. I mean we are using own certificate. Did you see any other cases where the error is „…:443“? I couldn’t find anything similar online. We even tried to create dedicated certificate just for that server but it still comes out with :443 in logs
10 Views