Title
#fleet
w

wennan.he

09/20/2022, 8:20 PM
Hi fleet team, does /api/osquery/enroll API require cert even i mark tls false on fleet side? ExecStart=/usr/bin/fleet serve \ --mysql_address=127.0.0.1:3306 \ --mysql_database=fleet \ --mysql_username=root \ --mysql_password=admin \ --redis_address=127.0.0.1:6379 \ --redis_password=fleetpass \ --filesystem_enable_log_compression=true \ --filesystem_enable_log_rotation=true \ --filesystem_result_log_file=/var/log/fleet/result.log \ --server_tls=false \
Michal Nicpon

Michal Nicpon

09/20/2022, 9:27 PM
Yes, osquery requires TLS. Typically you would use the
--server_tls=false
when running fleet behind a TLS terminator.
w

wennan.he

09/20/2022, 9:33 PM
sorry, you mean that enroll API require cert whatever i set the server_tls, is that what you meant?
Kathy Satterlee

Kathy Satterlee

09/20/2022, 9:43 PM
Correct.
--server-tls
only controls whether Fleet is served over TLS. You'd generally only disable that if you had a proxy server that was terminating TLS. Were you running in to trouble with TLS enabled on Fleet?
9:43 PM
And are you using a proxy server?
w

wennan.he

09/20/2022, 9:57 PM
@Kathy Satterlee no i don't have trouble, but have sth suspect. Thank you for clarify. And our fleet server is running behind the load balancer, and i think there is some proxy server like nginx running as proxy i guess.
Kathy Satterlee

Kathy Satterlee

09/20/2022, 10:24 PM
That sounds like a likely way to have things set up 🙂
w

wennan.he

09/20/2022, 10:58 PM
@Kathy Satterlee could we enroll by sth else but cert like nodekey?
11:23 PM
someone else knows it?
Kathy Satterlee

Kathy Satterlee

09/20/2022, 11:39 PM
I really wouldn't recommend trying to get completely around TLS. Can you fill me in a little on why you'd like to do that?
w

wennan.he

09/20/2022, 11:42 PM
because i saw there is sth is doing it, and confused why it works and post it here. So you mean it also works?
Kathy Satterlee

Kathy Satterlee

09/20/2022, 11:51 PM
Just to break down the full flow for enrollment, it looks like this: 1.
osquery
sends an enrollment request to the Fleet server over TLS, which includes an enroll secret. 2. Either the Fleet server itself or a proxy acts as the TLS endpoint for that request. 3. If using a proxy, the request is then forwarded to Fleet. 4. Fleet accepts the request and enrolls the host if the enroll secret is valid. 5. Fleet responds with a node key that is used for future authentication.
w

wennan.he

09/20/2022, 11:54 PM
well this is weird, as you said, osquery doesn't need cert to enroll, but i tried on my host and it didn't work out. and got this err Sep 20 20:45:06 n121-038-121 osqueryd[2691969]: W0920 20:45:06.466840 2692277 tls.cpp:101] Cannot read TLS server certificate(s): /var/osquery/fleet.pem
11:55 PM
and i also cannot see the host in fleet portal until the cert is setup.
Kathy Satterlee

Kathy Satterlee

09/20/2022, 11:56 PM
Osquery does need the cert to enroll.
w

wennan.he

09/20/2022, 11:57 PM
ok, but why i saw that err and why it cannot enroll without cert?
Kathy Satterlee

Kathy Satterlee

09/21/2022, 12:00 AM
Because
osquery
uses TLS to communicate with the server. Either Fleet or a proxy can be the TLS endpoint, but there needs to be one.
w

wennan.he

09/21/2022, 12:03 AM
so the --server_tls=false i setup doesn't disable the tls between host running osquery and server, but only LB and server? the host running osquery still communicate with LB with tls? is that right?
12:03 AM
that is why i see that err?
Kathy Satterlee

Kathy Satterlee

09/21/2022, 12:05 AM
Correct. That setting is just saying “Something else is terminating TLS”
w

wennan.he

09/21/2022, 12:19 AM
ty