Hi fleet team, does /api/osquery/enroll API require cert even i mark tls false on fleet side? ExecStart=/usr/bin/fleet serve \ --mysql_address=127.0.0.1:3306 \ --mysql_database=fleet \ --mysql_username=root \ --mysql_password=admin \ --redis_address=127.0.0.1:6379 \ --redis_password=fleetpass \ --filesystem_enable_log_compression=true \ --filesystem_enable_log_rotation=true \ --filesystem_result_log_file=/var/log/fleet/result.log \ --server_tls=false \

Yes, osquery requires TLS. Typically you would use the

--server_tls=false

when running fleet behind a TLS terminator.

sorry, you mean that enroll API require cert whatever i set the server_tls, is that what you meant?

Correct.

--server-tls

only controls whether Fleet is served over TLS. You'd generally only disable that if you had a proxy server that was terminating TLS. Were you running in to trouble with TLS enabled on Fleet?

@Kathy Satterlee no i don't have trouble, but have sth suspect. Thank you for clarify. And our fleet server is running behind the load balancer, and i think there is some proxy server like nginx running as proxy i guess.

That sounds like a likely way to have things set up 🙂

@Kathy Satterlee could we enroll by sth else but cert like nodekey?

I really wouldn't recommend trying to get completely around TLS. Can you fill me in a little on why you'd like to do that?

because i saw there is sth is doing it, and confused why it works and post it here. So you mean it also works?

Just to break down the full flow for enrollment, it looks like this: 1.

osquery

sends an enrollment request to the Fleet server over TLS, which includes an enroll secret. 2. Either the Fleet server itself or a proxy acts as the TLS endpoint for that request. 3. If using a proxy, the request is then forwarded to Fleet. 4. Fleet accepts the request and enrolls the host if the enroll secret is valid. 5. Fleet responds with a node key that is used for future authentication.

well this is weird, as you said, osquery doesn't need cert to enroll, but i tried on my host and it didn't work out. and got this err Sep 20 20:45:06 n121-038-121 osqueryd[2691969]: W0920 20:45:06.466840 2692277 tls.cpp:101] Cannot read TLS server certificate(s): /var/osquery/fleet.pem

Osquery does need the cert to enroll.

ok, but why i saw that err and why it cannot enroll without cert?

Because

osquery

uses TLS to communicate with the server. Either Fleet or a proxy can be the TLS endpoint, but there needs to be one.

so the --server_tls=false i setup doesn't disable the tls between host running osquery and server, but only LB and server? the host running osquery still communicate with LB with tls? is that right?

Correct. That setting is just saying “Something else is terminating TLS”

ty