Channels
#general
Title
# general
j
J Gilmour
07/14/2020, 3:36 PM'Afternoon Everyone! Looking for some help plz - I'm trying to build my Kolide stack; I cannot work with my certificates. Am getting
W0714 162921.859051 135417856 tls.cpp:100] Cannot read TLS server certificate(s): ~/Desktop/OSQueryTmp/cert.pem
W0714 162921.926555 135417856 tls_enroll.cpp:76] Failed enrollment request to <<Domain>> (Request error: certificate verify failed) retrying...
r
Ryan
07/14/2020, 3:39 PMI had something similar to this when first setting up Fleet, which was because I needed to have the full certificate chain in the pem file. Once I provided the full chain, all intermediate certificates and the root certificate, it all started working again.
j
J Gilmour
07/14/2020, 3:40 PMBelieve I've got the full chain in my .pem file on my local machine.
r
Ryan
07/14/2020, 3:40 PMis it a self-signed cert?
j
J Gilmour
07/14/2020, 3:43 PMletsencrypt
r
Ryan
07/14/2020, 3:44 PMyou may need to include Let’s Encrypt’s root cert at the end of the PEM too
I’m not sure though.
j
J Gilmour
07/14/2020, 3:45 PMwhen running "openssl s_client -connect" against my hostname comes back with
"---
SSL handshake has read 3127 bytes and written 401 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)"
not sure if this has something to do with it.
r
Ryan
07/14/2020, 3:49 PMyeah that suggests it’s not able to verify the full trust chain
you could try appending the X3 intermediate cert and the X1 root cert for Let’s Encrypt to your .pem file and see if that does the trick: https://letsencrypt.org/certificates/
j
J Gilmour
07/14/2020, 3:53 PMAppending: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt to the bottom of my MacBook does nothing
Fleet Server running in AWS - MacBook running locally.
r
Ryan
07/14/2020, 3:54 PMadd the X1 as well so you have the entire chain
you’ll probably need to restart the osquery service too
I’d also check if you can the usual things, like if you can reach Fleet via curl etc
j
J Gilmour
07/14/2020, 3:55 PMcan do all of that etc.
r
Ryan
07/14/2020, 3:55 PMI haven’t rolled it out on macOS myself, so I’m not sure, my experience was various Linux distros
j
J Gilmour
07/14/2020, 3:55 PMNot enjoying this tbh!
r
Ryan
07/14/2020, 3:56 PMto rule out the cert you might try doing an initial proof of concept with a self-signed cert, than it’s just a single cert, shouldn’t be much to go wrong 😄
j
J Gilmour
07/14/2020, 3:57 PMtrue dat!
if this doesn't work Might try that
r
Ryan
07/14/2020, 3:57 PM🤞
worked for me 😂
j
J Gilmour
07/14/2020, 3:58 PMI need a certificate on this - my Macs' are not managed through a core VPN.
Nah, didn't work
r
Ryan
07/14/2020, 3:58 PMwhen I went to productionise it I switched to a wildcard certificate and that’s when I hit this issue and needed the intermediate and root certs appending to the PEM
could be macOS is different here though I haven’t tried it on a Mac yet
j
J Gilmour
07/14/2020, 4:10 PMNah even with a Self signed cert doesn't want to play ball.
Let me check AWS Settings
@Ryan So I think that because I setup an ACM in AWS with my DNS Entry that may have done it.
I'll need to refresh my DNS Cache.
r
Ryan
07/14/2020, 4:14 PMahh interesting
I’ve not used ACM
j
J Gilmour
07/14/2020, 4:19 PMI'll give it ago shortly! Thanks again.
👍 1
2 Views