Title
#general
j

J Gilmour

07/14/2020, 3:36 PM
'Afternoon Everyone! Looking for some help plz - I'm trying to build my Kolide stack; I cannot work with my certificates. Am getting W0714 16:29:21.859051 135417856 tls.cpp:100] Cannot read TLS server certificate(s): ~/Desktop/OSQueryTmp/cert.pem W0714 16:29:21.926555 135417856 tls_enroll.cpp:76] Failed enrollment request to <<Domain>> (Request error: certificate verify failed) retrying...
r

Ryan

07/14/2020, 3:39 PM
I had something similar to this when first setting up Fleet, which was because I needed to have the full certificate chain in the pem file. Once I provided the full chain, all intermediate certificates and the root certificate, it all started working again.
j

J Gilmour

07/14/2020, 3:40 PM
Believe I've got the full chain in my .pem file on my local machine.
r

Ryan

07/14/2020, 3:40 PM
is it a self-signed cert?
j

J Gilmour

07/14/2020, 3:43 PM
letsencrypt
r

Ryan

07/14/2020, 3:44 PM
you may need to include Let’s Encrypt’s root cert at the end of the PEM too
3:44 PM
I’m not sure though.
j

J Gilmour

07/14/2020, 3:45 PM
when running "openssl s_client -connect" against my hostname comes back with
3:45 PM
"--- SSL handshake has read 3127 bytes and written 401 bytes Verification error: unable to get local issuer certificate--- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 20 (unable to get local issuer certificate)"
3:46 PM
not sure if this has something to do with it.
r

Ryan

07/14/2020, 3:49 PM
yeah that suggests it’s not able to verify the full trust chain
3:50 PM
you could try appending the X3 intermediate cert and the X1 root cert for Let’s Encrypt to your .pem file and see if that does the trick: https://letsencrypt.org/certificates/
j

J Gilmour

07/14/2020, 3:53 PM
Appending: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt to the bottom of my MacBook does nothing
3:54 PM
Fleet Server running in AWS - MacBook running locally.
r

Ryan

07/14/2020, 3:54 PM
add the X1 as well so you have the entire chain
3:54 PM
you’ll probably need to restart the osquery service too
3:55 PM
I’d also check if you can the usual things, like if you can reach Fleet via curl etc
j

J Gilmour

07/14/2020, 3:55 PM
can do all of that etc.
r

Ryan

07/14/2020, 3:55 PM
I haven’t rolled it out on macOS myself, so I’m not sure, my experience was various Linux distros
j

J Gilmour

07/14/2020, 3:55 PM
Not enjoying this tbh!
r

Ryan

07/14/2020, 3:56 PM
to rule out the cert you might try doing an initial proof of concept with a self-signed cert, than it’s just a single cert, shouldn’t be much to go wrong 😄
j

J Gilmour

07/14/2020, 3:57 PM
true dat!
3:57 PM
if this doesn't work Might try that
r

Ryan

07/14/2020, 3:57 PM
🤞
3:57 PM
worked for me 😂
j

J Gilmour

07/14/2020, 3:58 PM
I need a certificate on this - my Macs' are not managed through a core VPN.
3:58 PM
Nah, didn't work
r

Ryan

07/14/2020, 3:58 PM
when I went to productionise it I switched to a wildcard certificate and that’s when I hit this issue and needed the intermediate and root certs appending to the PEM
3:58 PM
could be macOS is different here though I haven’t tried it on a Mac yet
j

J Gilmour

07/14/2020, 4:10 PM
Nah even with a Self signed cert doesn't want to play ball.
4:10 PM
Let me check AWS Settings
4:14 PM
@Ryan So I think that because I setup an ACM in AWS with my DNS Entry that may have done it.
4:14 PM
I'll need to refresh my DNS Cache.
r

Ryan

07/14/2020, 4:14 PM
ahh interesting
4:15 PM
I’ve not used ACM
j

J Gilmour

07/14/2020, 4:19 PM
I'll give it ago shortly! Thanks again.