https://github.com/osquery/osquery logo
Title
j

J Gilmour

07/14/2020, 3:36 PM
'Afternoon Everyone! Looking for some help plz - I'm trying to build my Kolide stack; I cannot work with my certificates. Am getting W0714 16:29:21.859051 135417856 tls.cpp:100] Cannot read TLS server certificate(s): ~/Desktop/OSQueryTmp/cert.pem W0714 16:29:21.926555 135417856 tls_enroll.cpp:76] Failed enrollment request to <<Domain>> (Request error: certificate verify failed) retrying...
r

Ryan

07/14/2020, 3:39 PM
I had something similar to this when first setting up Fleet, which was because I needed to have the full certificate chain in the pem file. Once I provided the full chain, all intermediate certificates and the root certificate, it all started working again.
j

J Gilmour

07/14/2020, 3:40 PM
Believe I've got the full chain in my .pem file on my local machine.
r

Ryan

07/14/2020, 3:40 PM
is it a self-signed cert?
j

J Gilmour

07/14/2020, 3:43 PM
letsencrypt
r

Ryan

07/14/2020, 3:44 PM
you may need to include Let’s Encrypt’s root cert at the end of the PEM too
I’m not sure though.
j

J Gilmour

07/14/2020, 3:45 PM
when running "openssl s_client -connect" against my hostname comes back with
"--- SSL handshake has read 3127 bytes and written 401 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 20 (unable to get local issuer certificate)"
not sure if this has something to do with it.
r

Ryan

07/14/2020, 3:49 PM
yeah that suggests it’s not able to verify the full trust chain
you could try appending the X3 intermediate cert and the X1 root cert for Let’s Encrypt to your .pem file and see if that does the trick: https://letsencrypt.org/certificates/
j

J Gilmour

07/14/2020, 3:53 PM
Appending: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt to the bottom of my MacBook does nothing
Fleet Server running in AWS - MacBook running locally.
r

Ryan

07/14/2020, 3:54 PM
add the X1 as well so you have the entire chain
you’ll probably need to restart the osquery service too
I’d also check if you can the usual things, like if you can reach Fleet via curl etc
j

J Gilmour

07/14/2020, 3:55 PM
can do all of that etc.
r

Ryan

07/14/2020, 3:55 PM
I haven’t rolled it out on macOS myself, so I’m not sure, my experience was various Linux distros
j

J Gilmour

07/14/2020, 3:55 PM
Not enjoying this tbh!
r

Ryan

07/14/2020, 3:56 PM
to rule out the cert you might try doing an initial proof of concept with a self-signed cert, than it’s just a single cert, shouldn’t be much to go wrong 😄
j

J Gilmour

07/14/2020, 3:57 PM
true dat!
if this doesn't work Might try that
r

Ryan

07/14/2020, 3:57 PM
🤞
worked for me 😂
j

J Gilmour

07/14/2020, 3:58 PM
I need a certificate on this - my Macs' are not managed through a core VPN.
Nah, didn't work
r

Ryan

07/14/2020, 3:58 PM
when I went to productionise it I switched to a wildcard certificate and that’s when I hit this issue and needed the intermediate and root certs appending to the PEM
could be macOS is different here though I haven’t tried it on a Mac yet
j

J Gilmour

07/14/2020, 4:10 PM
Nah even with a Self signed cert doesn't want to play ball.
Let me check AWS Settings
@Ryan So I think that because I setup an ACM in AWS with my DNS Entry that may have done it.
I'll need to refresh my DNS Cache.
r

Ryan

07/14/2020, 4:14 PM
ahh interesting
I’ve not used ACM
j

J Gilmour

07/14/2020, 4:19 PM
I'll give it ago shortly! Thanks again.
👍 1