Title
#fleet
Mystery Incorporated

Mystery Incorporated

06/10/2022, 12:24 AM
message has been deleted
zwass

zwass

06/10/2022, 12:26 AM
@Adam Connor The best thing to do is to get a legit TLS certificate -- in our reference architecture, we terminate TLS with a load balancer on AWS, using the free certificates from Amazon. Using a certificate from any commercial CA or Let's Encrypt works great as well!
12:27 AM
Let’s encrypt is not really feasible because it expires every 3 months and if you have agents going offline etc when they come back online maybe the cert is expired! Logistical nightmare.
Let's Encrypt actually is feasible despite the rotation issue because the certificate root is included in standard osquery and Orbit packaging, so you don't have to pin to the specific certificate.
Mystery Incorporated

Mystery Incorporated

06/10/2022, 12:28 AM
Ah gotcha, so essentially the fleet.pem that OSquery uses is actually the Let’s Encrypt root cert?
zwass

zwass

06/10/2022, 12:29 AM
The one we package by default includes LE and a bunch of other CAs -- we actually use the set of roots from Mozilla. If you use the
--fleet-certificate
option then it only includes whatever you have in that file (which could be the LE root if you want to allow only LE).
a

Adam Connor

06/10/2022, 12:31 AM
thanks Gents, I did build a .pkg and deploy to a couple of test machines and they wouldn’t connect to the Server, but now I have some guidance I’ll re-do it ‘properly’.
zwass

zwass

06/10/2022, 12:32 AM
If you're using a self-signed cert you definitely need the
--fleet-certificate
flag (or
--insecure
but that is of course not recommended for production)
12:33 AM
You can look in
/var/log/orbit/orbit.stderr.log
to see why osquery is sad -- I'd guess you will see
certificate verify failed
.
a

Adam Connor

06/10/2022, 12:33 AM
ah, the other shoe drops! Thanks for the extra info, that does explain a lot.
Mystery Incorporated

Mystery Incorporated

06/10/2022, 12:33 AM
I must be using --fleet-certificate but I didn’t know it wasn’t recommended for prod lol
zwass

zwass

06/10/2022, 12:34 AM
Ah sorry, let me try to clarify
12:34 AM
--fleet-certificate
is absolutely recommended for prod.
--insecure
is not recommended for prod because it disables certificate validation.
Mystery Incorporated

Mystery Incorporated

06/10/2022, 12:34 AM
Phew, yea currently I’m deploying fleet.pem cert which is generated from my own CA on an air gapped Pi
zwass

zwass

06/10/2022, 12:36 AM
Yeah that sounds good
12:36 AM
--fleet-certificate
is not necessary for prod though if you have a cert that's trusted by the roots in that bundle (eg. commercial CA, AWS ACM, Let's Encrypt, etc.)
Mystery Incorporated

Mystery Incorporated

06/10/2022, 12:49 AM
@zwass yea seems things have come a long way from when I deployed fleet. back then when you clicked enroll it just told you to download the fleet cert and the secret but I can see that with the orbit integration it has become all very point and shoot now which is nice, probably i will switch to orbit soon.