https://github.com/osquery/osquery logo
#general
Title
# general
j

jamesbhao

05/24/2022, 12:31 PM
Hi everyone.I have a big problem with TLS certificates. My Fleet is 4.14.0 and Osquery is 5.2.3. Server is Cento7.9.My osquery can't connect to fleet because of certificate issue. The error is certificate verify failed.I tried the method in the official FAQ and the relevant information in the channel, but I still can't solve the problem.Can someone help me
t

Tomas Touceda

05/24/2022, 1:24 PM
hi there! we might want to move this convo to #fleet could you share the command you used for generating the certificate? also how about the output of the following command
openssl x509 -noout -subject -in yourcert.pem
?
j

jamesbhao

05/24/2022, 2:40 PM
hi my command
Copy code
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout /tmp/server.key -out /tmp/server.cert -subj "/CN=10.44.243.11"
t

Tomas Touceda

05/24/2022, 4:50 PM
please take a look at https://fleetdm.com/docs/deploying/server-installation#running-the-fleet-server you seem to be missing defining the subjectAltName
d

demonbhao

05/25/2022, 4:46 AM
Hello, I am the same person as jamesbhao, I can't use jamesbhao account in the company. I tried what you said, but still the same problem
t

Tomas Touceda

05/25/2022, 1:06 PM
silly question: was fleet or the load balancer restarted? how are you terminating TLS?
d

demonbhao

05/25/2022, 2:28 PM
Fleet restarted the service. I simply deleted the old certificate and used the command above to generate a new certificate
t

Tomas Touceda

05/25/2022, 2:37 PM
ok, is Fleet terminating TLS? or is there a load balancer?
d

demonbhao

05/25/2022, 2:49 PM
There is no load balancer.
Is Fleet terminating TLS
t

Tomas Touceda

05/25/2022, 4:49 PM
what's the output of the following command:
Copy code
echo | openssl s_client -showcerts -servername <http://gnupg.org|gnupg.org> -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -text
?
d

demonbhao

05/26/2022, 6:19 AM
[root@szhc-HIDS-ts01 bin]# echo | openssl s_client -showcerts -servername gnupg.org -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0791579de952b28eee327747ba64aaec34aa77:49 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = 10.44.243.11 Validity Not Before: May 26 055846 2022 GMT Not After : May 23 055846 2032 GMT Subject: CN = 10.44.243.11 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00b65ef205bb9d58bf7b96ee046f49: 8717ba1afd090b2e43030e0fe5e0c9: 337acb8de449515b79eb799760f71d: a1adfd8cdcee73d72bae8fe7878a48: b3d187e73c229392cc574e5574323e: d6008baf1142293974e886e979126c: cb413e3fc314137d1c91bb759f00d2: 6e4ed943f9713a2e4afc1f624c2c55: 7164024c925eaa0bd9e5217135aa5e: 108a24a3d33c8eb423e18e7390e0fa: ba6a27e7d6279744445acb599ed801: d508d0377bdfad04c879eb8cfd45cc: 7e7f9027f81465299d7d1e5a1484f9: b78d35244672191bdfeded47cce050: 0977f5cf73c562a803590e469b🆎c2: 962f38036c3688d01966518aaf0077: fd78a4af19f7985cac75601d74643f: f1c0b099b012765f830f9b89276391: 77c5413472a2fc6017b64604156a3c: 1605d0c1f95540866397f2a4ab6dc0: ffbb6d2abb75a4a96dfef58ab4dcbb: e7fdf83e411f2c1adce3ef744caf37: 217491e111a32546b03252bfbb7c47: 4100598ef4097b1932ae8b13d9fe9b: e9aa3156e82d629210fef8bbd8bc2c: faeefe1341e1789216a0852960303f: d0f15b97033854cafbf2f017d3982f: 23f6e52569f5e73d552b45b4f57c2f: 3363efc95da63e4799c7df89665a63: c76b7e2e2d74ea95bb69c0233f0a20: 438fcc25258e925676331fdf1c70e3: bab7bf4343bd72d3404f462c136214: e1f17a886051763f97361dce1c4918: e7f428fc280111efb8caf8a493c64e: 7363cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 67C203DAD6F857A3824CE8C9B9B5D21B68B16B:88 X509v3 Authority Key Identifier: keyid67C203DAD6F857A3824CE8C9B9B5D21B68B16B88 X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Alternative Name: DNS:10.44.244.18 Signature Algorithm: sha256WithRSAEncryption 8f6d57dfe6b5829d81a5623debefc59b8943 2b94800f49971d2ec85e9a07fc364cb94e96 a9f275a048a77dfedd18df067d5f72611bca 1f60a4baaa66355b48b6a2a963308f9656aa d0💿b20001dc6140eb9d3b9848e5f9c5035e 4598ea15c611aa09f8f51ddfab0fa1caf53d 06c63a0eba639c1f37f6a0e1be0f2832332e 61431c48efa5e80b4ab3a2d18c9948e33fd1 10ad2f7d7b745e0a897f16ece19d5cdb7456 1cddcdba1a0661a7dea2b2c079540b2d44dc d877cdac504ce1🇩🇪7a53cd914819acca9a4d d584b879cad28cb7b0743807795c9049ec03 d9272b💿68b1410fb7f226002d8c9829b0f2 e2e02cc5d317d4840acaa8b9a0274334ca6c 64c9e0b8d7a657fbbbfae320fac3b19bfa48 38ef2259f5bd1a54c88f64f6cd300cbbeb58 4a2f62d9cfff33791b5f2803a11787f552d4 ea892173b76197028a8b4548d6cbb984ba9d 0d29683c9f0514bbbd2ddbecc0827cc1a70a a9f73eb46e9642ee3f1b4cdd5a07fcd3a571 904a1ffc8e6cadfc6cc32a2a004e79cea8ad f7f6f1923e235d4704e9300caebfc162a7f4 b3719c69f6759655b1a1fae6fb7754e57a45 e6fb8d3406d0e8a2d7a4b481b0173703617f f85ffd3438a1fd67d41ebca550f006178e63 ebb7d6a400ed2029efe4d7fa574721af420b 3c0e12f5a658f00860913910637b1d28237f 82d91b8762e5fe6b5f8212f1a5b4681d2f78 63df7f25c4a36c:11
!!!Hi .On a whim I don't use the daemon service and I don't get the certificate verification failed error
I have a host successfully enrolled in fleet
what do you think is the reason for this
The first photos is my osquery.service. The second photos is my osquey.flags. My osquey.conf is null
t

Tomas Touceda

05/26/2022, 12:03 PM
I see your certificate has 10.44.244.18 but the CN you defined is 10.44.243.11, I believe those should be the same
d

demonbhao

05/30/2022, 8:59 AM
Hello, the problem on my side has been solved, and there is a problem with the configuration file of my daemon. Thank you very much for your help here
👍 1
71 Views