Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
e
Erik Tank
10/16/2022, 4:53 AMhi all - anyone have some advice for me to get our brand new fleetdm working? It was working with the self signed certs - but I tried to extract the crt and key files from a wildcard pfx we use - I added those to the fleet.service file - and now when I start up fleet, I get a series of "Authentication required","internal":"Authentication error: invalid device authentication token. As well as a 2nd error repeating "TLS handshake error from (localhost IP address): remote error: tls bad certificate"
I've tried to install the .deb file on my Ubuntu server (host) as well as one windows host so far - using the default pre-built "Add Hosts" statements using the Fleet-Desktop option for Orbit.
k
Kathy Satterlee
10/17/2022, 2:49 PMHey @Erik Tank! When you re-installed the agent on your hosts, did you include the new certificate?
e
Erik Tank
10/17/2022, 8:02 PMI used the same default command to recreate the msi file. The default syntax doesn’t include or specify any certificate information….?
How do I go about "including" the new certificate for a windows or linux agent installer? If I recreate the MSI or DEB file - what extra syntax do I include to specify the cert?
Currently I click on "Add Hosts" and under the windows area I get the command to run there: "fleetctl package --type=msi --fleet-desktop --fleet-url=https://fleetdm.emsd37.org:8080 --enroll-secret=xxxxx"
Is there an extra value to specify the cert and how is that passed to the clients? Since it's a wildcard cert purchased from register.com - is it even necessary to include the cert since it's public domain verified?
k
Kathy Satterlee
10/18/2022, 3:20 PMSorry about that, I misread the situation a little and thought you were still using a self signed certificate! Can you check the Orbit logs on the host in question to see if there's any additional detail there?:
C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.loge
Erik Tank
10/20/2022, 7:47 PMThe error in the orbit-osquery.log file says:
W1020 14:45:42.264096 6848 tls_enroll.cpp:101] Failed enrollment request to <https😕/f:8080/api/v1/osquery/enroll|https😕/<redacted>:8080/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying...
But when I go to the site in Chrome or any browser it shows the certificate is valid and working… no errors or warnings there… 😞
k
Kathy Satterlee
10/20/2022, 7:58 PMCheck out the troubleshooting steps here:
https://fleetdm.com/docs/deploying/faq#how-do-i-fix-certificate-verify-failed-errors-from-osqueryd
I see that you're creating an
.msiAdvancede
Erik Tank
10/21/2022, 9:37 PMI have looked through that information but still do not get a connection - not even from my ubuntu box to itself... I tried using the option to create a self signed cert and used the tls-skip-verify option and it still fails to connect...? I'm lost. I may start over with CentOS just to follow exact steps on the doc page. But if you have any other questions or answers, I'd prefer Ubuntu. 🙂