hello, i have the following configuration of fleet via docker, but i am encountering tls errors, as the certificate given by traefik and on fleet, contains wildcard value *.company.it, instead fleet goes to look for server ip, how can i make fleet use that certificate?

fleetdm-mgmt-01:
    restart: always
    container_name: fleetdm-mgmt-01
    image: fleetdm/fleet
    ports:
      - 8080:8080
    volumes:
      - /nas/appdata/fleetdm-mgmt-01:/fleet
      - /nas/logs/fleetdm-mgmt-01:/var/log/fleet:rw
    command: sh -c "echo '\n' | /usr/bin/fleet prepare db && /usr/bin/fleet serve" &> /var/log/fleet/audit.log"
    environment:
      HTTP_PROXY: <http://10>.*.*.13:23128
      HTTPS_PROXY: <http://10>.*.*.132:3128
      NO_PROXY: localhost,127.0.0.1,::1
      FLEET_MYSQL_ADDRESS: mysql-mgmt-01:3306
      FLEET_MYSQL_DATABASE: fleetdm-mgmt-01
      FLEET_MYSQL_USERNAME: root
      FLEET_MYSQL_PASSWORD: 'j********%l'
      FLEET_REDIS_ADDRESS: fleetdm-redis-mgmt-01:6379
      FLEET_REDIS_PASSWORD: eY*************t81
      FLEET_SERVER_TLS: "true"
      #FLEET_SERVER_CERT: /fleet/cert.pem
      #FLEET_SERVER_KEY: /fleet/cert-key.pem
      FLEET_LOGGING_JSON: "true"
      FLEET_AUTH_JWT_KEY:
      FLEET_LOGGING_DEBUG: 'true'
      FLEET_OSQUERY_LABEL_UPDATE_INTERVAL: 5m
      FLEET_VULNERABILITIES_PERIODICITY: 5m
      FLEET_ACTIVITY_ENABLE_AUDIT_LOG: "false"
      #FLEET_ACTIVITY_AUDIT_LOG_PLUGIN: filesystem
      #FLEET_FILESYSTEM_AUDIT_LOG_FILE: /var/log/fleet/audit.log
      FLEET_OSQUERY_STATUS_LOG_PLUGIN: stdout
      #FLEET_FILESYSTEM_STATUS_LOG_FILE: /var/log/fleet/osqueryd.status.log
      FLEET_OSQUERY_RESULT_LOG_PLUGIN: stdout
      #FLEET_FILESYSTEM_RESULT_LOG_FILE: /var/log/fleet/osqueryd.results.log
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.fleetdm-mgmt-01.rule=Host(`<http://it-asset.company.it|it-asset.company.it>`)"
      - "traefik.http.routers.fleetdm-mgmt-01.entrypoints=web,websecure"
      - "traefik.http.services.fleetdm-mgmt-01.loadbalancer.server.port=8080"
      - "traefik.http.services.fleetdm-mgmt-01.loadbalancer.server.scheme=https"
      #- "traefik.http.services.fleetdm-mgmt-01.loadbalancer.server.url=<http://it-asset.company.it|it-asset.company.it>"
      #- "traefik.tcp.routers.fleetdm-mgmt-01.tls.passthrough=true"  # Abilita il TLS pass-through
      - "traefik.http.routers.fleetdm-mgmt-01.tls=true"  # Abilita il TLS per il router
    networks:
      - Proxy

Thanks

Fleet will use the certificate provided using these environmental variables:

FLEET_SERVER_TLS # Set to false if something else is terminating TLS for you. 
FLEET_SERVER_CERT
FLEET_SERVER_KEY

@Kathy Satterlee so should i disable tls on fleet?

If Traefik is terminating TLS, yes.

yes, i passed fleet the certificate, but it gets rejected because it is a wildcard, instead fleet looks for its ip in the certificate I saw the documentation of the REST API https://fleetdm.com/docs/rest-api/rest-api and I wanted to see if there is a ready-made collection to download, so that I can import the whole collection into postman, without having to create them all one at a time.

Here is some good troubleshooting info for certificates: https://fleetdm.com/guides/certificates-in-fleetd#basic-article You do need a certificate issued for Fleet’s Fully Qualified Domain Name to avoid errors with osquery.

thanks @Kathy Satterlee Which endpoints does orbit/osquery use to contact the server by agents? I need to do acl on firewalls, I currently only have these: /api/v1/osquery/config /api/v1/osquery/distributed/read /api/v1/osquery/log /api/v1/osquery/enroll /api/v1/osquery/distributed/write /api/v1/osquery/carve/begin /api/v1/osquery/carve/block /device (used by fleet desktop)

Here are the Orbit endpoints: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/API-for-contributors.md /orbit/enroll will also need to be available.