Hi fleet team does api osquery enroll API require cert even osquery #fleet

Hi fleet team, does /api/osquery/enroll API requir...

wennan.he

09/20/2022, 8:20 PM

Hi fleet team, does /api/osquery/enroll API require cert even i mark tls false on fleet side? ExecStart=/usr/bin/fleet serve \ --mysql_address=127.0.0.1:3306 \ --mysql_database=fleet \ --mysql_username=root \ --mysql_password=admin \ --redis_address=127.0.0.1:6379 \ --redis_password=fleetpass \ --filesystem_enable_log_compression=true \ --filesystem_enable_log_rotation=true \ --filesystem_result_log_file=/var/log/fleet/result.log \ --server_tls=false \

Michal Nicpon

09/20/2022, 9:27 PM

Yes, osquery requires TLS. Typically you would use the

--server_tls=false

when running fleet behind a TLS terminator.

wennan.he

09/20/2022, 9:33 PM

sorry, you mean that enroll API require cert whatever i set the server_tls, is that what you meant?

Kathy Satterlee

09/20/2022, 9:43 PM

Correct.

--server-tls

only controls whether Fleet is served over TLS. You'd generally only disable that if you had a proxy server that was terminating TLS. Were you running in to trouble with TLS enabled on Fleet?

Kathy Satterlee

09/20/2022, 9:43 PM

And are you using a proxy server?

wennan.he

09/20/2022, 9:57 PM

@Kathy Satterlee no i don't have trouble, but have sth suspect. Thank you for clarify. And our fleet server is running behind the load balancer, and i think there is some proxy server like nginx running as proxy i guess.

Kathy Satterlee

09/20/2022, 10:24 PM

That sounds like a likely way to have things set up 🙂

wennan.he

09/20/2022, 10:58 PM

@Kathy Satterlee could we enroll by sth else but cert like nodekey?

wennan.he

09/20/2022, 11:23 PM

someone else knows it?

Kathy Satterlee

09/20/2022, 11:39 PM

I really wouldn't recommend trying to get completely around TLS. Can you fill me in a little on why you'd like to do that?

wennan.he

09/20/2022, 11:42 PM

because i saw there is sth is doing it, and confused why it works and post it here. So you mean it also works?

Kathy Satterlee

09/20/2022, 11:51 PM

Just to break down the full flow for enrollment, it looks like this: 1.

osquery

sends an enrollment request to the Fleet server over TLS, which includes an enroll secret. 2. Either the Fleet server itself or a proxy acts as the TLS endpoint for that request. 3. If using a proxy, the request is then forwarded to Fleet. 4. Fleet accepts the request and enrolls the host if the enroll secret is valid. 5. Fleet responds with a node key that is used for future authentication.

wennan.he

09/20/2022, 11:54 PM

well this is weird, as you said, osquery doesn't need cert to enroll, but i tried on my host and it didn't work out. and got this err Sep 20 204506 n121-038-121 osqueryd[2691969]: W0920 204506.466840 2692277 tls.cpp:101] Cannot read TLS server certificate(s): /var/osquery/fleet.pem

wennan.he

09/20/2022, 11:55 PM

and i also cannot see the host in fleet portal until the cert is setup.

Kathy Satterlee

09/20/2022, 11:56 PM

Osquery does need the cert to enroll.

wennan.he

09/20/2022, 11:57 PM

ok, but why i saw that err and why it cannot enroll without cert?

Kathy Satterlee

09/21/2022, 12:00 AM

Because

osquery

uses TLS to communicate with the server. Either Fleet or a proxy can be the TLS endpoint, but there needs to be one.

wennan.he

09/21/2022, 12:03 AM

so the --server_tls=false i setup doesn't disable the tls between host running osquery and server, but only LB and server? the host running osquery still communicate with LB with tls? is that right?

wennan.he

09/21/2022, 12:03 AM

that is why i see that err?

Kathy Satterlee

09/21/2022, 12:05 AM

Correct. That setting is just saying “Something else is terminating TLS”

wennan.he

09/21/2022, 12:19 AM

3 Views

Open in Slack

Previous Next