Hi everyone.I have a big problem with TLS certificates. My Fleet is 4.14.0 and Osquery is 5.2.3. Server is Cento7.9.My osquery can't connect to fleet because of certificate issue. The error is certificate verify failed.I tried the method in the official FAQ and the relevant information in the channel, but I still can't solve the problem.Can someone help me

hi there! we might want to move this convo to #fleet could you share the command you used for generating the certificate? also how about the output of the following command

openssl x509 -noout -subject -in yourcert.pem

?

hi my command

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout /tmp/server.key -out /tmp/server.cert -subj "/CN=10.44.243.11"

please take a look at https://fleetdm.com/docs/deploying/server-installation#running-the-fleet-server you seem to be missing defining the subjectAltName

Hello, I am the same person as jamesbhao, I can't use jamesbhao account in the company. I tried what you said, but still the same problem

silly question: was fleet or the load balancer restarted? how are you terminating TLS?

Fleet restarted the service. I simply deleted the old certificate and used the command above to generate a new certificate

ok, is Fleet terminating TLS? or is there a load balancer?

There is no load balancer.

what's the output of the following command:

echo | openssl s_client -showcerts -servername <http://gnupg.org|gnupg.org> -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -text

?

[root@szhc-HIDS-ts01 bin]# echo | openssl s_client -showcerts -servername gnupg.org -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 07:91:57:9d:e9:52:b2:8e:ee:32:77:47:ba:64:aa🇪🇨34:aa:77:49 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = 10.44.243.11 Validity Not Before: May 26 05:58:46 2022 GMT Not After : May 23 05:58:46 2032 GMT Subject: CN = 10.44.243.11 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:b6:5e:f2:05🇧🇧9d:58:bf:7b:96🇪🇪04:6f:49: 87:17:ba:1a:fd:09:0b:2e:43:03:0e:0f:e5:e0:c9: 33:7a:cb:8d:e4:49:51:5b:79:eb:79:97:60:f7:1d: a1🇦🇩fd:8c:dc🇪🇪73:d7:2b🇦🇪8f:e7:87:8a:48: b3:d1:87:e7:3c:22:93:92:cc:57:4e:55:74:32:3e: d6:00:8b🇦🇫11:42:29:39:74:e8:86:e9:79:12:6c: cb:41:3e:3f:c3:14:13:7d:1c:91:bb:75:9f:00:d2: 6e:4e:d9:43:f9:71:3a:2e:4a:fc:1f:62:4c:2c:55: 71:64:02:4c:92:5e:aa:0b:d9:e5:21:71:35:aa:5e: 10:8a:24:a3:d3:3c:8e:b4:23:e1:8e:73:90:e0:fa: ba:6a:27:e7:d6:27:97:44:44:5a:cb:59:9e:d8:01: d5:08:d0:37:7b:df:ad:04:c8:79:eb:8c:fd:45:cc: 7e:7f:90:27:f8:14:65:29:9d:7d:1e:5a:14:84:f9: b7:8d:35:24:46:72:19:1b:df:ed:ed:47:cc:e0:50: 09:77:f5🇨🇫73:c5:62:a8:03:59:0e:46:9b🆎c2: 96:2f:38:03:6c:36:88:d0:19:66:51:8a:af:00:77: fd:78:a4🇦🇫19:f7:98:5c:ac:75:60:1d:74:64:3f: f1:c0:b0:99:b0:12:76:5f:83:0f:9b:89:27:63:91: 77:c5:41:34:72:a2:fc:60:17:b6:46:04:15:6a:3c: 16:05:d0:c1:f9:55:40:86:63:97:f2:a4:ab:6d:c0: ff🇧🇧6d:2a:bb:75:a4:a9:6d:fe:f5:8a:b4:dc:bb: e7:fd:f8:3e:41:1f:2c:1a:dc:e3:ef:74:4c🇦🇫37: 21:74:91:e1:11:a3:25:46:b0:32:52🇧🇫bb:7c:47: 41:00:59:8e:f4:09:7b:19:32🇦🇪8b:13:d9:fe:9b: e9:aa:31:56:e8:2d:62:92:10:fe:f8🇧🇧d8:bc:2c: fa🇪🇪fe:13:41:e1:78:92:16:a0:85:29:60:30:3f: d0🏎5b:97:03:38:54🇨🇦fb:f2:f0:17:d3:98:2f: 23:f6:e5:25:69:f5:e7:3d:55:2b:45:b4:f5:7c:2f: 33:63:ef:c9:5d:a6:3e:47:99:c7:df:89:66:5a:63: c7:6b:7e:2e:2d:74:ea:95:bb:69:c0:23:3f:0a:20: 43:8f:cc:25:25:8e:92:56:76:33:1f:df:1c:70:e3: ba:b7:bf:43:43🇧🇩72:d3:40:4f:46:2c:13:62:14: e1🏎7a:88:60:51:76:3f:97:36:1d:ce:1c:49:18: e7:f4:28:fc:28:01:11:ef:b8🇨🇦f8:a4:93:c6:4e: 73:63:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 67:C2:03😄A:D6:F8:57:A3:82:4C:E8:C9:B9:B5:D2:1B:68:B1:6B:88 X509v3 Authority Key Identifier: keyid:67:C2:03:DA😄6:F8:57:A3:82:4C:E8:C9:B9:B5😄2:1B:68:B1:6B:88 X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Alternative Name: DNS:10.44.244.18 Signature Algorithm: sha256WithRSAEncryption 8f:6d:57:df:e6:b5:82:9d:81:a5:62:3d:eb:ef:c5:9b:89:43: 2b:94:80:0f:49:97:1d:2e:c8:5e:9a:07:fc:36:4c:b9:4e:96: a9:f2:75:a0:48:a7:7d:fe:dd:18:df:06:7d:5f:72:61:1b🇨🇦 1f:60:a4🇧🇦aa:66:35:5b:48:b6:a2:a9:63:30:8f:96:56:aa: d0💿b2:00:01:dc:61:40:eb:9d:3b:98:48:e5:f9:c5:03:5e: 45:98:ea:15:c6:11:aa:09:f8:f5:1d:df:ab:0f:a1🇨🇦f5:3d: 06:c6:3a:0e:ba:63:9c:1f:37:f6:a0:e1:be:0f:28:32:33:2e: 61:43:1c:48:ef:a5:e8:0b:4a:b3:a2:d1:8c:99:48:e3:3f:d1: 10🇦🇩2f:7d:7b:74:5e:0a:89:7f:16🇪🇨e1:9d:5c:db:74:56: 1c:dd:cd🇧🇦1a:06:61:a7:de:a2:b2:c0:79:54:0b:2d:44:dc: d8:77:cd:ac:50:4c:e1🇩🇪7a:53:cd:91:48:19:ac🇨🇦9a:4d: d5:84:b8:79:ca:d2:8c:b7:b0:74:38:07:79:5c:90:49:ec:03: d9:27:2b💿68:b1:41:0f:b7:f2:26:00:2d:8c:98:29:b0:f2: e2:e0:2c:c5:d3:17:d4:84:0a🇨🇦a8:b9:a0:27:43:34:ca:6c: 64:c9:e0:b8:d7:a6:57:fb:bb:fa:e3:20:fa:c3:b1:9b:fa:48: 38:ef:22:59:f5🇧🇩1a:54:c8:8f:64:f6:cd:30:0c🇧🇧eb:58: 4a:2f:62:d9:cf:ff:33:79:1b:5f:28:03:a1:17:87:f5:52:d4: ea:89:21:73:b7:61:97:02:8a:8b:45:48:d6:cb:b9:84:ba:9d: 0d:29:68:3c:9f:05:14🇧🇧bd:2d:db🇪🇨c0:82:7c:c1:a7:0a: a9:f7:3e:b4:6e:96:42🇪🇪3f:1b:4c:dd:5a:07:fc:d3:a5:71: 90:4a:1f:fc:8e:6c:ad:fc:6c:c3:2a:2a:00:4e:79:ce:a8🇦🇩 f7:f6:f1:92:3e:23:5d:47:04:e9:30:0c:ae🇧🇫c1:62:a7:f4: b3:71:9c:69:f6:75:96:55:b1:a1:fa:e6:fb:77:54:e5:7a:45: e6:fb:8d:34:06:d0:e8:a2:d7:a4:b4:81:b0:17:37:03:61:7f: f8:5f:fd:34:38:a1:fd:67:d4:1e:bc:a5:50:f0:06:17:8e:63: eb:b7:d6:a4:00:ed:20:29:ef:e4:d7:fa:57:47:21🇦🇫42:0b: 3c:0e:12:f5:a6:58:f0:08:60:91:39🔟63:7b:1d:28:23:7f: 82:d9:1b:87:62:e5:fe:6b:5f:82:12🏎a5:b4:68:1d:2f:78: 63:df:7f:25:c4:a3:6c:11

I see your certificate has 10.44.244.18 but the CN you defined is 10.44.243.11, I believe those should be the same

Hello, the problem on my side has been solved, and there is a problem with the configuration file of my daemon. Thank you very much for your help here