@Adam Connor The best thing to do is to get a legit TLS certificate -- in our reference architecture, we terminate TLS with a load balancer on AWS, using the free certificates from Amazon. Using a certificate from any commercial CA or Let's Encrypt works great as well!

Ah gotcha, so essentially the fleet.pem that OSquery uses is actually the Let’s Encrypt root cert?

The one we package by default includes LE and a bunch of other CAs -- we actually use the set of roots from Mozilla. If you use the

--fleet-certificate

option then it only includes whatever you have in that file (which could be the LE root if you want to allow only LE).

thanks Gents, I did build a .pkg and deploy to a couple of test machines and they wouldn’t connect to the Server, but now I have some guidance I’ll re-do it ‘properly’.

If you're using a self-signed cert you definitely need the

--fleet-certificate

flag (or

--insecure

but that is of course not recommended for production)

ah, the other shoe drops! Thanks for the extra info, that does explain a lot.

I must be using --fleet-certificate but I didn’t know it wasn’t recommended for prod lol

Ah sorry, let me try to clarify

Phew, yea currently I’m deploying fleet.pem cert which is generated from my own CA on an air gapped Pi

Yeah that sounds good

@zwass yea seems things have come a long way from when I deployed fleet. back then when you clicked enroll it just told you to download the fleet cert and the secret but I can see that with the orbit integration it has become all very point and shoot now which is nice, probably i will switch to orbit soon.