hi all anyone have some advice for me to get our brand new f

Question

hi all anyone have some advice for me to get our brand new fleetdm working It was working with the self signed certs but I tried to extract the crt and key files from a wildcard pfx we use I added those to the fleet service file and now when I start up fleet I get a series of Authentication required internal Authentication error invalid device authentication token As well as a 2nd error repeating TLS handshake error from localhost IP address remote error tls bad certificate I ve tried to install the deb file on my Ubuntu server host as well as one windows host so far using the default pre built Add Hosts statements using the Fleet Desktop option for Orbit

Kathy Satterlee · Answer

Hey < Erik Tank> When you re installed the agent on your hosts did you include the new certificate

Erik Tank · Answer

I used the same default command to recreate the msi file The default syntax doesn t include or specify any certificate information

Erik Tank · Answer

How do I go about including the new certificate for a windows or linux agent installer If I recreate the MSI or DEB file what extra syntax do I include to specify the cert Currently I click on Add Hosts and under the windows area I get the command to run there fleetctl package type=msi fleet desktop fleet url= enroll secret=xxxxx Is there an extra value to specify the cert and how is that passed to the clients Since it s a wildcard cert purchased from is it even necessary to include the cert since it s public domain verified

Kathy Satterlee · Answer

Sorry about that I misread the situation a little and thought you were still using a self signed certificate Can you check the Orbit logs on the host in question to see if there s any additional detail there ```C Windows system32 config systemprofile AppData Local FleetDM Orbit Logs orbit osquery log``` It may be that the certificate you re using isn t compatible

Erik Tank · Answer

The error in the orbit osquery log file says W1020 14 45 42 264096 6848 tls enroll cpp 101 Failed enrollment request to lt https f 8080 api v1 osquery enroll|https lt redacted gt 8080 api v1 osquery enroll gt Request error certificate verify failed retrying

Erik Tank · Answer

But when I go to the site in Chrome or any browser it shows the certificate is valid and working no errors or warnings there disappointed

Kathy Satterlee · Answer

Check out the troubleshooting steps here <https fleetdm com docs deploying faq how do i fix certificate verify failed errors from osqueryd>

Kathy Satterlee · Answer

I see that you re creating an ` msi` so including the certificate may be the best option Check out the `Advanced` tab in the Add hosts modal

Erik Tank · Answer

I have looked through that information but still do not get a connection not even from my ubuntu box to itself I tried using the option to create a self signed cert and used the tls skip verify option and it still fails to connect I m lost I may start over with CentOS just to follow exact steps on the doc page But if you have any other questions or answers I d prefer Ubuntu slightly smiling face