https://github.com/osquery/osquery logo
#fleet
Title
n

n0b00de

12/14/2021, 10:23 PM
Hi team I'm attempting to generate fleet packages with fleetctl using the
--flee-certificate
flag the issue I'm facing is that once I attempt to install the package on an endpoint it fails with either of the two errors below (rpm/msi). If I generate the packages with the
--insecure
flag I am able to install the packages on my endpoints successfully. Any suggestions on a direction to troubleshoot this situation?
l

Lucas Rodriguez

12/14/2021, 10:39 PM
Hi! Could you share the full
fleetctl
command used to generate the installers, also please provide the out put of
fleetctl --version
.
n

n0b00de

12/14/2021, 10:57 PM
Copy code
./fleetctl package --type msi --fleet-url=<https://PRIVATE_IP:8080> --enroll-secret=SECRET --fleet-certificate /root/f1eet.pem --debug
l

Lucas Rodriguez

12/14/2021, 11:05 PM
In the case of rpm, could you check the running processes? (search for
orbit
)
n

n0b00de

12/14/2021, 11:06 PM
so in both cases the packages were not successful in their installation so no service is ever started. For the rpm you can see the weird "error" i got was just random numbers
l

Lucas Rodriguez

12/14/2021, 11:07 PM
OK, @zwass Any ideas? Otherwise I'll try to reproduce tomorrow. (EoD for me.)
n

n0b00de

12/14/2021, 11:08 PM
no worries I appreciate the quick response
l

Lucas Rodriguez

12/14/2021, 11:08 PM
You could also try with the latest
fleetctl
v4.7.0
(released today).
❤️ 1
z

zwass

12/14/2021, 11:09 PM
Likely has to do with a cert issue I'd guess based on it working with the insecure flag.
Eg, does the hostname match the SAN on the cert?
n

n0b00de

12/14/2021, 11:13 PM
checking now
z

zwass

12/14/2021, 11:15 PM
fleetctl debug connection
could help
n

n0b00de

12/14/2021, 11:22 PM
Im still researching the SAN but this is the output of the debug. Should it be this brief? I also see it succeed then fail
I am also consistently getting this error when trying to view the SAN details of the pem file. So unsure how to confirm if the SAN matches
l

Lucas Rodriguez

12/14/2021, 11:34 PM
Re i/o timeout, could you check you can connect to such host:port using other tools (
nc/netcat
)?
n

n0b00de

12/14/2021, 11:36 PM
Filed that were delted
@Lucas Rodriguez yup will check now one sec
l

Lucas Rodriguez

12/14/2021, 11:39 PM
But as you and Zach said, given that
--insecure
works, it's most likely a cert issue.
💯 1
n

n0b00de

12/14/2021, 11:55 PM
Yea thats what I figured just couldn't place what would be the issue. Downloaded the file as per the UI.
nc did succeed
l

Lucas Rodriguez

12/15/2021, 12:19 AM
For our internal deployment of fleet I was able to download the
fleet.pem
and execute the same
openssl
successfully.
(Try inspecting the
fleet.pem
with a text editor and see if it looks good or there are any new line issues in it.)
Also, try fetching the server_url config and check if it looks good:
$ fleetctl get config --include-server-config
Copy code
[...]
  server_settings:
    [...]
    server_url: https://...
[...]
n

n0b00de

12/15/2021, 12:32 AM
Whenever I try to open with textedit or vs code it just says
undefined
l

Lucas Rodriguez

12/15/2021, 12:51 AM
Mhm... try with
cat fleet.pem
If it says
undefined
then please confirm if such file with that content was provided by fleet's download pem option.
See you tomorrow!
z

zwass

12/15/2021, 1:21 AM
If
undefined
is the actual contents of the file it's definitely not going to work. There may be some issue with the UI retrieving your server cert. You can just use the cert pem (NOT the private key!) that you provide to the server.
n

n0b00de

12/15/2021, 1:28 AM
Alrighty thanks I've confirmed downloading the pem from the UI again still says
undefined
I have confirmed downloading the file from the UI again still says
l

Lucas Rodriguez

12/15/2021, 12:23 PM
You can just use the cert pem (NOT the private key!) that you provide to the server.
Hi Let us know if this works.
We'll be tracking this issue here: https://github.com/fleetdm/fleet/issues/3374
❤️ 1
n

n0b00de

12/15/2021, 3:44 PM
I tried this last night using the cert.pem under
/etc/pki/tls/cert.pem
and the pem that i downloaded from the UI still reads
undefined
I should also mention if this matters we are using the dockerized variant of fleet
l

Lucas Rodriguez

12/15/2021, 3:52 PM
You can just use the cert pem (NOT the private key!) that you provide to the server.
By this I think Zach means using the PEM you provide to
fleet serve
in
--server_cert
or
FLEET_SERVER_CERT
.
1
n

n0b00de

12/15/2021, 5:34 PM
ah ok checking now
So two things I noticed after downloading the cert file from the UI i get this error in the UI
And secondly I was able to successfully install the package after using the server.cert in
FLEET_SERVER_CERT
but the endpoint is not showing up in the fleet UI but it shows as running
A good update for the team we were able to get it successfully installed and showing up in the fleet UI. So I ended up using the server.cert file to generate the package again this time using the private IP addr in the fleetURL and it worked. Thanks for all the help team I appreciate it
👍 2
l

Lucas Rodriguez

12/15/2021, 8:35 PM
Glad to hear this!
2 Views