https://github.com/osquery/osquery logo
Join Slack
Powered by
'Afternoon Everyone! Looking for some help plz - ...
# general
j
'Afternoon Everyone! Looking for some help plz - I'm trying to build my Kolide stack; I cannot work with my certificates. Am getting W0714 162921.859051 135417856 tls.cpp:100] Cannot read TLS server certificate(s): ~/Desktop/OSQueryTmp/cert.pem W0714 162921.926555 135417856 tls_enroll.cpp:76] Failed enrollment request to <<Domain>> (Request error: certificate verify failed) retrying...
r
I had something similar to this when first setting up Fleet, which was because I needed to have the full certificate chain in the pem file. Once I provided the full chain, all intermediate certificates and the root certificate, it all started working again.
j
Believe I've got the full chain in my .pem file on my local machine.
r
is it a self-signed cert?
j
letsencrypt
r
you may need to include Let’s Encrypt’s root cert at the end of the PEM too
I’m not sure though.
j
when running "openssl s_client -connect" against my hostname comes back with
"--- SSL handshake has read 3127 bytes and written 401 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 20 (unable to get local issuer certificate)"
not sure if this has something to do with it.
r
yeah that suggests it’s not able to verify the full trust chain
you could try appending the X3 intermediate cert and the X1 root cert for Let’s Encrypt to your .pem file and see if that does the trick: https://letsencrypt.org/certificates/
j
Appending: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt to the bottom of my MacBook does nothing
Fleet Server running in AWS - MacBook running locally.
r
add the X1 as well so you have the entire chain
you’ll probably need to restart the osquery service too
I’d also check if you can the usual things, like if you can reach Fleet via curl etc
j
can do all of that etc.
r
I haven’t rolled it out on macOS myself, so I’m not sure, my experience was various Linux distros
j
Not enjoying this tbh!
r
to rule out the cert you might try doing an initial proof of concept with a self-signed cert, than it’s just a single cert, shouldn’t be much to go wrong 😄
j
true dat!
if this doesn't work Might try that
r
🤞
worked for me 😂
j
I need a certificate on this - my Macs' are not managed through a core VPN.
Nah, didn't work
r
when I went to productionise it I switched to a wildcard certificate and that’s when I hit this issue and needed the intermediate and root certs appending to the PEM
could be macOS is different here though I haven’t tried it on a Mac yet
j
Nah even with a Self signed cert doesn't want to play ball.
Let me check AWS Settings
@Ryan So I think that because I setup an ACM in AWS with my DNS Entry that may have done it.
I'll need to refresh my DNS Cache.
r
ahh interesting
I’ve not used ACM
j
I'll give it ago shortly! Thanks again.
👍 1
2 Views
Open in Slack
PreviousNext
Powered by