Hi everyone.I have a big problem with TLS certific...
# generalj
jamesbhao
05/24/2022, 12:31 PMHi everyone.I have a big problem with TLS certificates. My Fleet is 4.14.0 and Osquery is 5.2.3. Server is Cento7.9.My osquery can't connect to fleet because of certificate issue. The error is certificate verify failed.I tried the method in the official FAQ and the relevant information in the channel, but I still can't solve the problem.Can someone help me
t
Tomas Touceda
05/24/2022, 1:24 PMhi there! we might want to move this convo to #fleet
could you share the command you used for generating the certificate? also how about the output of the following command
openssl x509 -noout -subject -in yourcert.pemj
jamesbhao
05/24/2022, 2:40 PMhi my command
Copy code
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout /tmp/server.key -out /tmp/server.cert -subj "/CN=10.44.243.11"t
Tomas Touceda
05/24/2022, 4:50 PMplease take a look at https://fleetdm.com/docs/deploying/server-installation#running-the-fleet-server
you seem to be missing defining the subjectAltName
d
demonbhao
05/25/2022, 4:46 AMHello, I am the same person as jamesbhao, I can't use jamesbhao account in the company. I tried what you said, but still the same problem
t
Tomas Touceda
05/25/2022, 1:06 PMsilly question: was fleet or the load balancer restarted? how are you terminating TLS?
d
demonbhao
05/25/2022, 2:28 PMFleet restarted the service. I simply deleted the old certificate and used the command above to generate a new certificate
t
Tomas Touceda
05/25/2022, 2:37 PMok, is Fleet terminating TLS? or is there a load balancer?
d
demonbhao
05/25/2022, 2:49 PMThere is no load balancer.
demonbhao
05/25/2022, 2:50 PMIs Fleet terminating TLS
t
Tomas Touceda
05/25/2022, 4:49 PMwhat's the output of the following command:
Copy code
echo | openssl s_client -showcerts -servername <http://gnupg.org|gnupg.org> -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -textd
demonbhao
05/26/2022, 6:19 AM[root@szhc-HIDS-ts01 bin]# echo | openssl s_client -showcerts -servername gnupg.org -connect 10.44.243.11:8080 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0791579de952b28eee327747ba64aaec34aa77:49
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = 10.44.243.11
Validity
Not Before: May 26 055846 2022 GMT
Not After : May 23 055846 2032 GMT
Subject: CN = 10.44.243.11
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00b65ef205bb9d58bf7b96ee046f49:
8717ba1afd090b2e43030e0fe5e0c9:
337acb8de449515b79eb799760f71d:
a1adfd8cdcee73d72bae8fe7878a48:
b3d187e73c229392cc574e5574323e:
d6008baf1142293974e886e979126c:
cb413e3fc314137d1c91bb759f00d2:
6e4ed943f9713a2e4afc1f624c2c55:
7164024c925eaa0bd9e5217135aa5e:
108a24a3d33c8eb423e18e7390e0fa:
ba6a27e7d6279744445acb599ed801:
d508d0377bdfad04c879eb8cfd45cc:
7e7f9027f81465299d7d1e5a1484f9:
b78d35244672191bdfeded47cce050:
0977f5cf73c562a803590e469b🆎c2:
962f38036c3688d01966518aaf0077:
fd78a4af19f7985cac75601d74643f:
f1c0b099b012765f830f9b89276391:
77c5413472a2fc6017b64604156a3c:
1605d0c1f95540866397f2a4ab6dc0:
ffbb6d2abb75a4a96dfef58ab4dcbb:
e7fdf83e411f2c1adce3ef744caf37:
217491e111a32546b03252bfbb7c47:
4100598ef4097b1932ae8b13d9fe9b:
e9aa3156e82d629210fef8bbd8bc2c:
faeefe1341e1789216a0852960303f:
d0f15b97033854cafbf2f017d3982f:
23f6e52569f5e73d552b45b4f57c2f:
3363efc95da63e4799c7df89665a63:
c76b7e2e2d74ea95bb69c0233f0a20:
438fcc25258e925676331fdf1c70e3:
bab7bf4343bd72d3404f462c136214:
e1f17a886051763f97361dce1c4918:
e7f428fc280111efb8caf8a493c64e:
7363cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
67C203DAD6F857A3824CE8C9B9B5D21B68B16B:88
X509v3 Authority Key Identifier:
keyid67C203DAD6F857A3824CE8C9B9B5D21B68B16B88
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:10.44.244.18
Signature Algorithm: sha256WithRSAEncryption
8f6d57dfe6b5829d81a5623debefc59b8943
2b94800f49971d2ec85e9a07fc364cb94e96
a9f275a048a77dfedd18df067d5f72611bca
1f60a4baaa66355b48b6a2a963308f9656aa
d0💿b20001dc6140eb9d3b9848e5f9c5035e
4598ea15c611aa09f8f51ddfab0fa1caf53d
06c63a0eba639c1f37f6a0e1be0f2832332e
61431c48efa5e80b4ab3a2d18c9948e33fd1
10ad2f7d7b745e0a897f16ece19d5cdb7456
1cddcdba1a0661a7dea2b2c079540b2d44dc
d877cdac504ce1🇩🇪7a53cd914819acca9a4d
d584b879cad28cb7b0743807795c9049ec03
d9272b💿68b1410fb7f226002d8c9829b0f2
e2e02cc5d317d4840acaa8b9a0274334ca6c
64c9e0b8d7a657fbbbfae320fac3b19bfa48
38ef2259f5bd1a54c88f64f6cd300cbbeb58
4a2f62d9cfff33791b5f2803a11787f552d4
ea892173b76197028a8b4548d6cbb984ba9d
0d29683c9f0514bbbd2ddbecc0827cc1a70a
a9f73eb46e9642ee3f1b4cdd5a07fcd3a571
904a1ffc8e6cadfc6cc32a2a004e79cea8ad
f7f6f1923e235d4704e9300caebfc162a7f4
b3719c69f6759655b1a1fae6fb7754e57a45
e6fb8d3406d0e8a2d7a4b481b0173703617f
f85ffd3438a1fd67d41ebca550f006178e63
ebb7d6a400ed2029efe4d7fa574721af420b
3c0e12f5a658f00860913910637b1d28237f
82d91b8762e5fe6b5f8212f1a5b4681d2f78
63df7f25c4a36c:11
demonbhao
05/26/2022, 6:20 AMdemonbhao
05/26/2022, 6:38 AM!!!Hi .On a whim I don't use the daemon service and I don't get the certificate verification failed error
demonbhao
05/26/2022, 6:38 AMdemonbhao
05/26/2022, 6:39 AMI have a host successfully enrolled in fleet
demonbhao
05/26/2022, 6:39 AMwhat do you think is the reason for this
demonbhao
05/26/2022, 6:43 AMThe first photos is my osquery.service. The second photos is my osquey.flags. My osquey.conf is null
t
Tomas Touceda
05/26/2022, 12:03 PMI see your certificate has 10.44.244.18 but the CN you defined is 10.44.243.11, I believe those should be the same
d
demonbhao
05/30/2022, 8:59 AMHello, the problem on my side has been solved, and there is a problem with the configuration file of my daemon. Thank you very much for your help here
👍 1
71 Views