zwass
06/10/2022, 12:26 AMLet’s encrypt is not really feasible because it expires every 3 months and if you have agents going offline etc when they come back online maybe the cert is expired! Logistical nightmare.Let's Encrypt actually is feasible despite the rotation issue because the certificate root is included in standard osquery and Orbit packaging, so you don't have to pin to the specific certificate.
Mystery Incorporated
06/10/2022, 12:28 AMzwass
06/10/2022, 12:29 AM--fleet-certificate
option then it only includes whatever you have in that file (which could be the LE root if you want to allow only LE).Adam Connor
06/10/2022, 12:31 AMzwass
06/10/2022, 12:32 AM--fleet-certificate
flag (or --insecure
but that is of course not recommended for production)/var/log/orbit/orbit.stderr.log
to see why osquery is sad -- I'd guess you will see certificate verify failed
.Adam Connor
06/10/2022, 12:33 AMMystery Incorporated
06/10/2022, 12:33 AMzwass
06/10/2022, 12:34 AM--fleet-certificate
is absolutely recommended for prod. --insecure
is not recommended for prod because it disables certificate validation.Mystery Incorporated
06/10/2022, 12:34 AMzwass
06/10/2022, 12:36 AM--fleet-certificate
is not necessary for prod though if you have a cert that's trusted by the roots in that bundle (eg. commercial CA, AWS ACM, Let's Encrypt, etc.)Mystery Incorporated
06/10/2022, 12:49 AM