Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@U02NL5P1B9U> The best thing to do is to get a legit TLS certificate -- in our reference architecture, we terminate TLS with a load balancer on AWS, using the free certificates from Amazon. Using a certificate from any commercial CA or Let's Encrypt works great as well!

&gt; Let’s encrypt is not really feasible because it expires every 3 months and if you have agents going offline etc when they come back online maybe the cert is expired! Logistical nightmare.
Let's Encrypt actually is feasible despite the rotation issue because the certificate root is included in standard osquery and Orbit packaging, so you don't have to pin to the specific certificate.

Ah gotcha, so essentially the fleet.pem that OSquery uses is actually the Let’s Encrypt root cert?

The one we package by default includes LE and a bunch of other CAs -- we actually use the set of roots from Mozilla. If you use the `--fleet-certificate` option then it only includes whatever you have in that file (which could be the LE root if you want to allow _only_ LE).

thanks Gents,
I did build a .pkg and deploy to a couple of test machines and they wouldn’t connect to the Server, but now I have some guidance I’ll re-do it ‘properly’.

If you're using a self-signed cert you definitely need the `--fleet-certificate` flag (or `--insecure` but that is of course not recommended for production)

You can look in `/var/log/orbit/orbit.stderr.log` to see why osquery is sad -- I'd guess you will see `certificate verify failed`.

ah, the other shoe drops! Thanks for the extra info, that does explain a lot.

I must be using --fleet-certificate but I didn’t know it wasn’t recommended for prod lol

`--fleet-certificate` is absolutely recommended for prod. `--insecure` is not recommended for prod because it disables certificate validation.

Phew, yea currently I’m deploying fleet.pem cert which is generated from my own CA on an air gapped Pi

`--fleet-certificate` is not _necessary_ for prod though if you have a cert that's trusted by the roots in that bundle (eg. commercial CA, AWS ACM, Let's Encrypt, etc.)

<@U0JFM04MS> yea seems things have come a long way from when I deployed fleet. back then when you clicked enroll it just told you to download the fleet cert and the secret but I can see that with the orbit integration it has become all very point and shoot now which is nice, probably i will switch to orbit soon.