Title
#fleet
e

Erik Tank

10/16/2022, 4:53 AM
hi all - anyone have some advice for me to get our brand new fleetdm working? It was working with the self signed certs - but I tried to extract the crt and key files from a wildcard pfx we use - I added those to the fleet.service file - and now when I start up fleet, I get a series of "Authentication required","internal":"Authentication error: invalid device authentication token. As well as a 2nd error repeating "TLS handshake error from (localhost IP address): remote error: tls bad certificate" I've tried to install the .deb file on my Ubuntu server (host) as well as one windows host so far - using the default pre-built "Add Hosts" statements using the Fleet-Desktop option for Orbit.
Kathy Satterlee

Kathy Satterlee

10/17/2022, 2:49 PM
Hey @Erik Tank! When you re-installed the agent on your hosts, did you include the new certificate?
e

Erik Tank

10/17/2022, 8:02 PM
I used the same default command to recreate the msi file. The default syntax doesn’t include or specify any certificate information….?
11:59 PM
How do I go about "including" the new certificate for a windows or linux agent installer? If I recreate the MSI or DEB file - what extra syntax do I include to specify the cert? Currently I click on "Add Hosts" and under the windows area I get the command to run there: "fleetctl package --type=msi --fleet-desktop --fleet-url=https://fleetdm.emsd37.org:8080 --enroll-secret=xxxxx" Is there an extra value to specify the cert and how is that passed to the clients? Since it's a wildcard cert purchased from register.com - is it even necessary to include the cert since it's public domain verified?
Kathy Satterlee

Kathy Satterlee

10/18/2022, 3:20 PM
Sorry about that, I misread the situation a little and thought you were still using a self signed certificate! Can you check the Orbit logs on the host in question to see if there's any additional detail there?:
C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log
It may be that the certificate you're using isn't compatible.
e

Erik Tank

10/20/2022, 7:47 PM
The error in the orbit-osquery.log file says: W1020 14:45:42.264096 6848 tls_enroll.cpp:101] Failed enrollment request to <https😕/f:8080/api/v1/osquery/enroll|https😕/&lt;redacted&gt;:8080/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying...
7:47 PM
But when I go to the site in Chrome or any browser it shows the certificate is valid and working… no errors or warnings there… 😞
Kathy Satterlee

Kathy Satterlee

10/20/2022, 7:58 PM
8:01 PM
I see that you're creating an
.msi
, so including the certificate may be the best option. Check out the
Advanced
tab in the Add hosts modal.
e

Erik Tank

10/21/2022, 9:37 PM
I have looked through that information but still do not get a connection - not even from my ubuntu box to itself... I tried using the option to create a self signed cert and used the tls-skip-verify option and it still fails to connect...? I'm lost. I may start over with CentOS just to follow exact steps on the doc page. But if you have any other questions or answers, I'd prefer Ubuntu. 🙂