Let’s encrypt is not really feasible because it expires every 3 months and if you have agents going offline etc when they come back online maybe the cert is expired! Logistical nightmare.Let's Encrypt actually is feasible despite the rotation issue because the certificate root is included in standard osquery and Orbit packaging, so you don't have to pin to the specific certificate.
Mystery Incorporated06/10/2022, 12:28 AM
option then it only includes whatever you have in that file (which could be the LE root if you want to allow only LE).
Adam Connor06/10/2022, 12:31 AM
but that is of course not recommended for production)
to see why osquery is sad -- I'd guess you will see
certificate verify failed
Adam Connor06/10/2022, 12:33 AM
Mystery Incorporated06/10/2022, 12:33 AM
is absolutely recommended for prod.
is not recommended for prod because it disables certificate validation.
Mystery Incorporated06/10/2022, 12:34 AM
is not necessary for prod though if you have a cert that's trusted by the roots in that bundle (eg. commercial CA, AWS ACM, Let's Encrypt, etc.)
Mystery Incorporated06/10/2022, 12:49 AM