Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
J Gilmour
07/14/2020, 3:36 PM'Afternoon Everyone! Looking for some help plz - I'm trying to build my Kolide stack; I cannot work with my certificates. Am getting
W0714 16:29:21.859051 135417856 tls.cpp:100] Cannot read TLS server certificate(s): ~/Desktop/OSQueryTmp/cert.pem
W0714 16:29:21.926555 135417856 tls_enroll.cpp:76] Failed enrollment request to <<Domain>> (Request error: certificate verify failed) retrying...
r
Ryan
07/14/2020, 3:39 PMI had something similar to this when first setting up Fleet, which was because I needed to have the full certificate chain in the pem file. Once I provided the full chain, all intermediate certificates and the root certificate, it all started working again.
j
J Gilmour
07/14/2020, 3:40 PMBelieve I've got the full chain in my .pem file on my local machine.
r
Ryan
07/14/2020, 3:40 PMis it a self-signed cert?
j
J Gilmour
07/14/2020, 3:43 PMletsencrypt
r
Ryan
07/14/2020, 3:44 PMyou may need to include Let’s Encrypt’s root cert at the end of the PEM too
I’m not sure though.
j
J Gilmour
07/14/2020, 3:45 PMwhen running "openssl s_client -connect" against my hostname comes back with
"---
SSL handshake has read 3127 bytes and written 401 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)"
not sure if this has something to do with it.
r
Ryan
07/14/2020, 3:49 PMyeah that suggests it’s not able to verify the full trust chain
you could try appending the X3 intermediate cert and the X1 root cert for Let’s Encrypt to your .pem file and see if that does the trick: https://letsencrypt.org/certificates/
j
J Gilmour
07/14/2020, 3:53 PMAppending: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt to the bottom of my MacBook does nothing
Fleet Server running in AWS - MacBook running locally.
r
Ryan
07/14/2020, 3:54 PMadd the X1 as well so you have the entire chain
you’ll probably need to restart the osquery service too
I’d also check if you can the usual things, like if you can reach Fleet via curl etc
j
J Gilmour
07/14/2020, 3:55 PMcan do all of that etc.
r
Ryan
07/14/2020, 3:55 PMI haven’t rolled it out on macOS myself, so I’m not sure, my experience was various Linux distros
j
J Gilmour
07/14/2020, 3:55 PMNot enjoying this tbh!
r
Ryan
07/14/2020, 3:56 PMto rule out the cert you might try doing an initial proof of concept with a self-signed cert, than it’s just a single cert, shouldn’t be much to go wrong 😄
j
J Gilmour
07/14/2020, 3:57 PMtrue dat!
if this doesn't work Might try that
r
Ryan
07/14/2020, 3:57 PM🤞
worked for me 😂
j
J Gilmour
07/14/2020, 3:58 PMI need a certificate on this - my Macs' are not managed through a core VPN.
Nah, didn't work
r
Ryan
07/14/2020, 3:58 PMwhen I went to productionise it I switched to a wildcard certificate and that’s when I hit this issue and needed the intermediate and root certs appending to the PEM
could be macOS is different here though I haven’t tried it on a Mac yet
j
J Gilmour
07/14/2020, 4:10 PMNah even with a Self signed cert doesn't want to play ball.
Let me check AWS Settings
@Ryan So I think that because I setup an ACM in AWS with my DNS Entry that may have done it.
I'll need to refresh my DNS Cache.
r
Ryan
07/14/2020, 4:14 PMahh interesting
I’ve not used ACM
j
J Gilmour
07/14/2020, 4:19 PMI'll give it ago shortly! Thanks again.
👍 1