Hi everyone I have a big problem with TLS certificates My Fl

Question

Hi everyone I have a big problem with TLS certificates My Fleet is 4 14 0 and Osquery is 5 2 3 Server is Cento7 9 My osquery can t connect to fleet because of certificate issue The error is certificate verify failed I tried the method in the official FAQ and the relevant information in the channel but I still can t solve the problem Can someone help me

Tomas Touceda · Answer

hi there we might want to move this convo to < C01DXJL16D8|fleet> could you share the command you used for generating the certificate also how about the output of the following command `openssl x509 noout subject in yourcert pem`

jamesbhao · Answer

hi my command ```openssl req x509 newkey rsa 4096 sha256 days 3650 nodes keyout tmp server key out tmp server cert subj CN=10 44 243 11 ```

Tomas Touceda · Answer

please take a look at <https fleetdm com docs deploying server installation running the fleet server> you seem to be missing defining the subjectAltName

demonbhao · Answer

Hello I am the same person as jamesbhao I can t use jamesbhao account in the company I tried what you said but still the same problem

Tomas Touceda · Answer

silly question was fleet or the load balancer restarted how are you terminating TLS

demonbhao · Answer

Fleet restarted the service I simply deleted the old certificate and used the command above to generate a new certificate

Tomas Touceda · Answer

ok is Fleet terminating TLS or is there a load balancer

demonbhao · Answer

There is no load balancer

demonbhao · Answer

Is Fleet terminating TLS

Tomas Touceda · Answer

what s the output of the following command ```echo | openssl s client showcerts servername <http gnupg org|gnupg org> connect 10 44 243 11 8080 2 gt dev null | openssl x509 inform pem noout text```

demonbhao · Answer

root szhc HIDS ts01 bin echo | openssl s client showcerts servername <http gnupg org|gnupg org> connect 10 44 243 11 8080 2 gt dev null | openssl x509 inform pem noout text Certificate Data Version 3 0x2 Serial Number 07 91 57 9d e9 52 b2 8e ee 32 77 47 ba 64 aa ec 34 aa 77 49 Signature Algorithm sha256WithRSAEncryption Issuer CN = 10 44 243 11 Validity Not Before May 26 05 58 46 2022 GMT Not After May 23 05 58 46 2032 GMT Subject CN = 10 44 243 11 Subject Public Key Info Public Key Algorithm rsaEncryption RSA Public Key 4096 bit Modulus 00 b6 5e f2 05 bb 9d 58 bf 7b 96 ee 04 6f 49 87 17 ba 1a fd 09 0b 2e 43 03 0e 0f e5 e0 c9 33 7a cb 8d e4 49 51 5b 79 eb 79 97 60 f7 1d a1 ad fd 8c dc ee 73 d7 2b ae 8f e7 87 8a 48 b3 d1 87 e7 3c 22 93 92 cc 57 4e 55 74 32 3e d6 00 8b af 11 42 29 39 74 e8 86 e9 79 12 6c cb 41 3e 3f c3 14 13 7d 1c 91 bb 75 9f 00 d2 6e 4e d9 43 f9 71 3a 2e 4a fc 1f 62 4c 2c 55 71 64 02 4c 92 5e aa 0b d9 e5 21 71 35 aa 5e 10 8a 24 a3 d3 3c 8e b4 23 e1 8e 73 90 e0 fa ba 6a 27 e7 d6 27 97 44 44 5a cb 59 9e d8 01 d5 08 d0 37 7b df ad 04 c8 79 eb 8c fd 45 cc 7e 7f 90 27 f8 14 65 29 9d 7d 1e 5a 14 84 f9 b7 8d 35 24 46 72 19 1b df ed ed 47 cc e0 50 09 77 f5 cf 73 c5 62 a8 03 59 0e 46 9b ab c2 96 2f 38 03 6c 36 88 d0 19 66 51 8a af 00 77 fd 78 a4 af 19 f7 98 5c ac 75 60 1d 74 64 3f f1 c0 b0 99 b0 12 76 5f 83 0f 9b 89 27 63 91 77 c5 41 34 72 a2 fc 60 17 b6 46 04 15 6a 3c 16 05 d0 c1 f9 55 40 86 63 97 f2 a4 ab 6d c0 ff bb 6d 2a bb 75 a4 a9 6d fe f5 8a b4 dc bb e7 fd f8 3e 41 1f 2c 1a dc e3 ef 74 4c af 37 21 74 91 e1 11 a3 25 46 b0 32 52 bf bb 7c 47 41 00 59 8e f4 09 7b 19 32 ae 8b 13 d9 fe 9b e9 aa 31 56 e8 2d 62 92 10 fe f8 bb d8 bc 2c fa ee fe 13 41 e1 78 92 16 a0 85 29 60 30 3f d0 f1 5b 97 03 38 54 ca fb f2 f0 17 d3 98 2f 23 f6 e5 25 69 f5 e7 3d 55 2b 45 b4 f5 7c 2f 33 63 ef c9 5d a6 3e 47 99 c7 df 89 66 5a 63 c7 6b 7e 2e 2d 74 ea 95 bb 69 c0 23 3f 0a 20 43 8f cc 25 25 8e 92 56 76 33 1f df 1c 70 e3 ba b7 bf 43 43 bd 72 d3 40 4f 46 2c 13 62 14 e1 f1 7a 88 60 51 76 3f 97 36 1d ce 1c 49 18 e7 f4 28 fc 28 01 11 ef b8 ca f8 a4 93 c6 4e 73 63 cf Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier 67 C2 03 DA D6 F8 57 A3 82 4C E8 C9 B9 B5 D2 1B 68 B1 6B 88 X509v3 Authority Key Identifier keyid 67 C2 03 DA D6 F8 57 A3 82 4C E8 C9 B9 B5 D2 1B 68 B1 6B 88 X509v3 Basic Constraints critical CA TRUE X509v3 Subject Alternative Name DNS 10 44 244 18 Signature Algorithm sha256WithRSAEncryption 8f 6d 57 df e6 b5 82 9d 81 a5 62 3d eb ef c5 9b 89 43 2b 94 80 0f 49 97 1d 2e c8 5e 9a 07 fc 36 4c b9 4e 96 a9 f2 75 a0 48 a7 7d fe dd 18 df 06 7d 5f 72 61 1b ca 1f 60 a4 ba aa 66 35 5b 48 b6 a2 a9 63 30 8f 96 56 aa d0 cd b2 00 01 dc 61 40 eb 9d 3b 98 48 e5 f9 c5 03 5e 45 98 ea 15 c6 11 aa 09 f8 f5 1d df ab 0f a1 ca f5 3d 06 c6 3a 0e ba 63 9c 1f 37 f6 a0 e1 be 0f 28 32 33 2e 61 43 1c 48 ef a5 e8 0b 4a b3 a2 d1 8c 99 48 e3 3f d1 10 ad 2f 7d 7b 74 5e 0a 89 7f 16 ec e1 9d 5c db 74 56 1c dd cd ba 1a 06 61 a7 de a2 b2 c0 79 54 0b 2d 44 dc d8 77 cd ac 50 4c e1 de 7a 53 cd 91 48 19 ac ca 9a 4d d5 84 b8 79 ca d2 8c b7 b0 74 38 07 79 5c 90 49 ec 03 d9 27 2b cd 68 b1 41 0f b7 f2 26 00 2d 8c 98 29 b0 f2 e2 e0 2c c5 d3 17 d4 84 0a ca a8 b9 a0 27 43 34 ca 6c 64 c9 e0 b8 d7 a6 57 fb bb fa e3 20 fa c3 b1 9b fa 48 38 ef 22 59 f5 bd 1a 54 c8 8f 64 f6 cd 30 0c bb eb 58 4a 2f 62 d9 cf ff 33 79 1b 5f 28 03 a1 17 87 f5 52 d4 ea 89 21 73 b7 61 97 02 8a 8b 45 48 d6 cb b9 84 ba 9d 0d 29 68 3c 9f 05 14 bb bd 2d db ec c0 82 7c c1 a7 0a a9 f7 3e b4 6e 96 42 ee 3f 1b 4c dd 5a 07 fc d3 a5 71 90 4a 1f fc 8e 6c ad fc 6c c3 2a 2a 00 4e 79 ce a8 ad f7 f6 f1 92 3e 23 5d 47 04 e9 30 0c ae bf c1 62 a7 f4 b3 71 9c 69 f6 75 96 55 b1 a1 fa e6 fb 77 54 e5 7a 45 e6 fb 8d 34 06 d0 e8 a2 d7 a4 b4 81 b0 17 37 03 61 7f f8 5f fd 34 38 a1 fd 67 d4 1e bc a5 50 f0 06 17 8e 63 eb b7 d6 a4 00 ed 20 29 ef e4 d7 fa 57 47 21 af 42 0b 3c 0e 12 f5 a6 58 f0 08 60 91 39 10 63 7b 1d 28 23 7f 82 d9 1b 87 62 e5 fe 6b 5f 82 12 f1 a5 b4 68 1d 2f 78 63 df 7f 25 c4 a3 6c 11

demonbhao · Answer

Hi On a whim I don t use the daemon service and I don t get the certificate verification failed error

demonbhao · Answer

I have a host successfully enrolled in fleet

demonbhao · Answer

what do you think is the reason for this

demonbhao · Answer

The first photos is my osquery service The second photos is my osquey flags My osquey conf is null

Tomas Touceda · Answer

I see your certificate has 10 44 244 18 but the CN you defined is 10 44 243 11 I believe those should be the same

demonbhao · Answer

Hello the problem on my side has been solved and there is a problem with the configuration file of my daemon Thank you very much for your help here