https://github.com/osquery/osquery logo
Title
j

jamesbhao

05/24/2022, 12:31 PM
Hi everyone.I have a big problem with TLS certificates. My Fleet is 4.14.0 and Osquery is 5.2.3. Server is Cento7.9.My osquery can't connect to fleet because of certificate issue. The error is certificate verify failed.I tried the method in the official FAQ and the relevant information in the channel, but I still can't solve the problem.Can someone help me
t

Tomas Touceda

05/24/2022, 1:24 PM
hi there! we might want to move this convo to #fleet could you share the command you used for generating the certificate? also how about the output of the following command
openssl x509 -noout -subject -in yourcert.pem
?
j

jamesbhao

05/24/2022, 2:40 PM
hi my command
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout /tmp/server.key -out /tmp/server.cert -subj "/CN=10.44.243.11"
t

Tomas Touceda

05/24/2022, 4:50 PM
please take a look at https://fleetdm.com/docs/deploying/server-installation#running-the-fleet-server you seem to be missing defining the subjectAltName
d

demonbhao

05/25/2022, 4:46 AM
Hello, I am the same person as jamesbhao, I can't use jamesbhao account in the company. I tried what you said, but still the same problem
t

Tomas Touceda

05/25/2022, 1:06 PM
silly question: was fleet or the load balancer restarted? how are you terminating TLS?
d

demonbhao

05/25/2022, 2:28 PM
Fleet restarted the service. I simply deleted the old certificate and used the command above to generate a new certificate
t

Tomas Touceda

05/25/2022, 2:37 PM
ok, is Fleet terminating TLS? or is there a load balancer?
d

demonbhao

05/25/2022, 2:49 PM
There is no load balancer.
Is Fleet terminating TLS
t

Tomas Touceda

05/25/2022, 4:49 PM
what's the output of the following command:
echo | openssl s_client -showcerts -servername <http://gnupg.org|gnupg.org> -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -text
?
d

demonbhao

05/26/2022, 6:19 AM
[root@szhc-HIDS-ts01 bin]# echo | openssl s_client -showcerts -servername gnupg.org -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 07:91:57:9d:e9:52:b2:8e:ee:32:77:47:ba:64:aa🇪🇨34:aa:77:49 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = 10.44.243.11 Validity Not Before: May 26 05:58:46 2022 GMT Not After : May 23 05:58:46 2032 GMT Subject: CN = 10.44.243.11 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:b6:5e:f2:05🇧🇧9d:58:bf:7b:96🇪🇪04:6f:49: 87:17:ba:1a:fd:09:0b:2e:43:03:0e:0f:e5:e0:c9: 33:7a:cb:8d:e4:49:51:5b:79:eb:79:97:60:f7:1d: a1🇦🇩fd:8c:dc🇪🇪73:d7:2b🇦🇪8f:e7:87:8a:48: b3:d1:87:e7:3c:22:93:92:cc:57:4e:55:74:32:3e: d6:00:8b🇦🇫11:42:29:39:74:e8:86:e9:79:12:6c: cb:41:3e:3f:c3:14:13:7d:1c:91:bb:75:9f:00:d2: 6e:4e:d9:43:f9:71:3a:2e:4a:fc:1f:62:4c:2c:55: 71:64:02:4c:92:5e:aa:0b:d9:e5:21:71:35:aa:5e: 10:8a:24:a3:d3:3c:8e:b4:23:e1:8e:73:90:e0:fa: ba:6a:27:e7:d6:27:97:44:44:5a:cb:59:9e:d8:01: d5:08:d0:37:7b:df:ad:04:c8:79:eb:8c:fd:45:cc: 7e:7f:90:27:f8:14:65:29:9d:7d:1e:5a:14:84:f9: b7:8d:35:24:46:72:19:1b:df:ed:ed:47:cc:e0:50: 09:77:f5🇨🇫73:c5:62:a8:03:59:0e:46:9b🆎c2: 96:2f:38:03:6c:36:88:d0:19:66:51:8a:af:00:77: fd:78:a4🇦🇫19:f7:98:5c:ac:75:60:1d:74:64:3f: f1:c0:b0:99:b0:12:76:5f:83:0f:9b:89:27:63:91: 77:c5:41:34:72:a2:fc:60:17:b6:46:04:15:6a:3c: 16:05:d0:c1:f9:55:40:86:63:97:f2:a4:ab:6d:c0: ff🇧🇧6d:2a:bb:75:a4:a9:6d:fe:f5:8a:b4:dc:bb: e7:fd:f8:3e:41:1f:2c:1a:dc:e3:ef:74:4c🇦🇫37: 21:74:91:e1:11:a3:25:46:b0:32:52🇧🇫bb:7c:47: 41:00:59:8e:f4:09:7b:19:32🇦🇪8b:13:d9:fe:9b: e9:aa:31:56:e8:2d:62:92:10:fe:f8🇧🇧d8:bc:2c: fa🇪🇪fe:13:41:e1:78:92:16:a0:85:29:60:30:3f: d0🏎5b:97:03:38:54🇨🇦fb:f2:f0:17:d3:98:2f: 23:f6:e5:25:69:f5:e7:3d:55:2b:45:b4:f5:7c:2f: 33:63:ef:c9:5d:a6:3e:47:99:c7:df:89:66:5a:63: c7:6b:7e:2e:2d:74:ea:95:bb:69:c0:23:3f:0a:20: 43:8f:cc:25:25:8e:92:56:76:33:1f:df:1c:70:e3: ba:b7:bf:43:43🇧🇩72:d3:40:4f:46:2c:13:62:14: e1🏎7a:88:60:51:76:3f:97:36:1d:ce:1c:49:18: e7:f4:28:fc:28:01:11:ef:b8🇨🇦f8:a4:93:c6:4e: 73:63:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 67:C2:03😄A:D6:F8:57:A3:82:4C:E8:C9:B9:B5:D2:1B:68:B1:6B:88 X509v3 Authority Key Identifier: keyid:67:C2:03:DA😄6:F8:57:A3:82:4C:E8:C9:B9:B5😄2:1B:68:B1:6B:88 X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Alternative Name: DNS:10.44.244.18 Signature Algorithm: sha256WithRSAEncryption 8f:6d:57:df:e6:b5:82:9d:81:a5:62:3d:eb:ef:c5:9b:89:43: 2b:94:80:0f:49:97:1d:2e:c8:5e:9a:07:fc:36:4c:b9:4e:96: a9:f2:75:a0:48:a7:7d:fe:dd:18:df:06:7d:5f:72:61:1b🇨🇦 1f:60:a4🇧🇦aa:66:35:5b:48:b6:a2:a9:63:30:8f:96:56:aa: d0💿b2:00:01:dc:61:40:eb:9d:3b:98:48:e5:f9:c5:03:5e: 45:98:ea:15:c6:11:aa:09:f8:f5:1d:df:ab:0f:a1🇨🇦f5:3d: 06:c6:3a:0e:ba:63:9c:1f:37:f6:a0:e1:be:0f:28:32:33:2e: 61:43:1c:48:ef:a5:e8:0b:4a:b3:a2:d1:8c:99:48:e3:3f:d1: 10🇦🇩2f:7d:7b:74:5e:0a:89:7f:16🇪🇨e1:9d:5c:db:74:56: 1c:dd:cd🇧🇦1a:06:61:a7:de:a2:b2:c0:79:54:0b:2d:44:dc: d8:77:cd:ac:50:4c:e1🇩🇪7a:53:cd:91:48:19:ac🇨🇦9a:4d: d5:84:b8:79:ca:d2:8c:b7:b0:74:38:07:79:5c:90:49:ec:03: d9:27:2b💿68:b1:41:0f:b7:f2:26:00:2d:8c:98:29:b0:f2: e2:e0:2c:c5:d3:17:d4:84:0a🇨🇦a8:b9:a0:27:43:34:ca:6c: 64:c9:e0:b8:d7:a6:57:fb:bb:fa:e3:20:fa:c3:b1:9b:fa:48: 38:ef:22:59:f5🇧🇩1a:54:c8:8f:64:f6:cd:30:0c🇧🇧eb:58: 4a:2f:62:d9:cf:ff:33:79:1b:5f:28:03:a1:17:87:f5:52:d4: ea:89:21:73:b7:61:97:02:8a:8b:45:48:d6:cb:b9:84:ba:9d: 0d:29:68:3c:9f:05:14🇧🇧bd:2d:db🇪🇨c0:82:7c:c1:a7:0a: a9:f7:3e:b4:6e:96:42🇪🇪3f:1b:4c:dd:5a:07:fc:d3:a5:71: 90:4a:1f:fc:8e:6c:ad:fc:6c:c3:2a:2a:00:4e:79:ce:a8🇦🇩 f7:f6:f1:92:3e:23:5d:47:04:e9:30:0c:ae🇧🇫c1:62:a7:f4: b3:71:9c:69:f6:75:96:55:b1:a1:fa:e6:fb:77:54:e5:7a:45: e6:fb:8d:34:06:d0:e8:a2:d7:a4:b4:81:b0:17:37:03:61:7f: f8:5f:fd:34:38:a1:fd:67:d4:1e:bc:a5:50:f0:06:17:8e:63: eb:b7:d6:a4:00:ed:20:29:ef:e4:d7:fa:57:47:21🇦🇫42:0b: 3c:0e:12:f5:a6:58:f0:08:60:91:39🔟63:7b:1d:28:23:7f: 82:d9:1b:87:62:e5:fe:6b:5f:82:12🏎a5:b4:68:1d:2f:78: 63:df:7f:25:c4:a3:6c:11
!!!Hi .On a whim I don't use the daemon service and I don't get the certificate verification failed error
I have a host successfully enrolled in fleet
what do you think is the reason for this
The first photos is my osquery.service. The second photos is my osquey.flags. My osquey.conf is null
t

Tomas Touceda

05/26/2022, 12:03 PM
I see your certificate has 10.44.244.18 but the CN you defined is 10.44.243.11, I believe those should be the same
d

demonbhao

05/30/2022, 8:59 AM
Hello, the problem on my side has been solved, and there is a problem with the configuration file of my daemon. Thank you very much for your help here
👍 1