Channels
#fleet
Title
n
n0b00de
12/14/2021, 10:23 PMHi team I'm attempting to generate fleet packages with fleetctl using the
--flee-certificate--insecurel
Lucas Rodriguez
12/14/2021, 10:39 PMHi! Could you share the full
fleetctlfleetctl --versionn
n0b00de
12/14/2021, 10:57 PM Copy code
./fleetctl package --type msi --fleet-url=<https://PRIVATE_IP:8080> --enroll-secret=SECRET --fleet-certificate /root/f1eet.pem --debugl
Lucas Rodriguez
12/14/2021, 11:05 PMIn the case of rpm, could you check the running processes? (search for
orbitn
n0b00de
12/14/2021, 11:06 PMso in both cases the packages were not successful in their installation so no service is ever started. For the rpm you can see the weird "error" i got was just random numbers
l
Lucas Rodriguez
12/14/2021, 11:07 PMOK, @zwass Any ideas? Otherwise I'll try to reproduce tomorrow. (EoD for me.)
n
n0b00de
12/14/2021, 11:08 PMno worries I appreciate the quick response
l
Lucas Rodriguez
12/14/2021, 11:08 PMYou could also try with the latest
fleetctlv4.7.0❤️ 1
z
zwass
12/14/2021, 11:09 PM
Likely has to do with a cert issue I'd guess based on it working with the insecure flag.
Eg, does the hostname match the SAN on the cert?
n
n0b00de
12/14/2021, 11:13 PMchecking now
z
zwass
12/14/2021, 11:15 PM
fleetctl debug connectionn
n0b00de
12/14/2021, 11:22 PMIm still researching the SAN but this is the output of the debug. Should it be this brief? I also see it succeed then fail
I am also consistently getting this error when trying to view the SAN details of the pem file. So unsure how to confirm if the SAN matches
l
Lucas Rodriguez
12/14/2021, 11:34 PMRe i/o timeout, could you check you can connect to such host:port using other tools (
nc/netcatn
n0b00de
12/14/2021, 11:36 PMFiled that were delted
@Lucas Rodriguez yup will check now one sec
l
Lucas Rodriguez
12/14/2021, 11:39 PMBut as you and Zach said, given that
--insecure💯 1
n
n0b00de
12/14/2021, 11:55 PMYea thats what I figured just couldn't place what would be the issue. Downloaded the file as per the UI.
nc did succeed
l
Lucas Rodriguez
12/15/2021, 12:19 AMFor our internal deployment of fleet I was able to download the
fleet.pemopenssl(Try inspecting the
fleet.pemAlso, try fetching the server_url config and check if it looks good:
$ fleetctl get config --include-server-config Copy code
[...]
server_settings:
[...]
server_url: https://...
[...]n
n0b00de
12/15/2021, 12:32 AMWhenever I try to open with textedit or vs code it just says
undefinedl
Lucas Rodriguez
12/15/2021, 12:51 AMMhm... try with
cat fleet.pemIf it says
undefinedSee you tomorrow!
z
zwass
12/15/2021, 1:21 AM
If
undefinedn
n0b00de
12/15/2021, 1:28 AMAlrighty thanks I've confirmed downloading the pem from the UI again still says
undefinedl
Lucas Rodriguez
12/15/2021, 12:23 PMYou can just use the cert pem (NOT the private key!) that you provide to the server.Hi Let us know if this works.
We'll be tracking this issue here: https://github.com/fleetdm/fleet/issues/3374
❤️ 1
n
n0b00de
12/15/2021, 3:44 PMI tried this last night using the cert.pem under
/etc/pki/tls/cert.pemundefinedI should also mention if this matters we are using the dockerized variant of fleet
l
Lucas Rodriguez
12/15/2021, 3:52 PMYou can just use the cert pem (NOT the private key!) that you provide to the server.By this I think Zach means using the PEM you provide to
fleet serve--server_certFLEET_SERVER_CERT➕ 1
n
n0b00de
12/15/2021, 5:34 PMah ok checking now
So two things I noticed after downloading the cert file from the UI i get this error in the UI
And secondly I was able to successfully install the package after using the server.cert in
FLEET_SERVER_CERTA good update for the team we were able to get it successfully installed and showing up in the fleet UI. So I ended up using the server.cert file to generate the package again this time using the private IP addr in the fleetURL and it worked. Thanks for all the help team I appreciate it
👍 2
l
Lucas Rodriguez
12/15/2021, 8:35 PMGlad to hear this!
2 Views