https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi team I'm attempting to generate fleet packages ...
# fleet
n
Hi team I'm attempting to generate fleet packages with fleetctl using the 
--flee-certificate
flag the issue I'm facing is that once I attempt to install the package on an endpoint it fails with either of the two errors below (rpm/msi). If I generate the packages with the 
--insecure
flag I am able to install the packages on my endpoints successfully. Any suggestions on a direction to troubleshoot this situation?
l
Hi! Could you share the full 
fleetctl
command used to generate the installers, also please provide the out put of 
fleetctl --version
.
n
Copy code
./fleetctl package --type msi --fleet-url=<https://PRIVATE_IP:8080> --enroll-secret=SECRET --fleet-certificate /root/f1eet.pem --debug
l
In the case of rpm, could you check the running processes? (search for 
orbit
)
n
so in both cases the packages were not successful in their installation so no service is ever started. For the rpm you can see the weird "error" i got was just random numbers
l
OK, @zwass Any ideas? Otherwise I'll try to reproduce tomorrow. (EoD for me.)
n
no worries I appreciate the quick response
l
You could also try with the latest 
fleetctl
v4.7.0
(released today).
❤️ 1
z
Likely has to do with a cert issue I'd guess based on it working with the insecure flag.
Eg, does the hostname match the SAN on the cert?
n
checking now
z
fleetctl debug connection
could help
n
Im still researching the SAN but this is the output of the debug. Should it be this brief? I also see it succeed then fail
I am also consistently getting this error when trying to view the SAN details of the pem file. So unsure how to confirm if the SAN matches
l
Re i/o timeout, could you check you can connect to such host:port using other tools (
nc/netcat
)?
n
Filed that were delted
@Lucas Rodriguez yup will check now one sec
l
But as you and Zach said, given that 
--insecure
works, it's most likely a cert issue.
💯 1
n
Yea thats what I figured just couldn't place what would be the issue. Downloaded the file as per the UI.
nc did succeed
l
For our internal deployment of fleet I was able to download the 
fleet.pem
and execute the same 
openssl
successfully.
(Try inspecting the 
fleet.pem
with a text editor and see if it looks good or there are any new line issues in it.)
Also, try fetching the server_url config and check if it looks good: 
$ fleetctl get config --include-server-config
Copy code
[...]
  server_settings:
    [...]
    server_url: https://...
[...]
n
Whenever I try to open with textedit or vs code it just says 
undefined
l
Mhm... try with 
cat fleet.pem
If it says 
undefined
then please confirm if such file with that content was provided by fleet's download pem option.
See you tomorrow!
z
If 
undefined
is the actual contents of the file it's definitely not going to work. There may be some issue with the UI retrieving your server cert. You can just use the cert pem (NOT the private key!) that you provide to the server.
n
Alrighty thanks I've confirmed downloading the pem from the UI again still says 
undefined
I have confirmed downloading the file from the UI again still says
l
You can just use the cert pem (NOT the private key!) that you provide to the server.
Hi Let us know if this works.
We'll be tracking this issue here: https://github.com/fleetdm/fleet/issues/3374
❤️ 1
n
I tried this last night using the cert.pem under 
/etc/pki/tls/cert.pem
and the pem that i downloaded from the UI still reads 
undefined
I should also mention if this matters we are using the dockerized variant of fleet
l
You can just use the cert pem (NOT the private key!) that you provide to the server.
By this I think Zach means using the PEM you provide to 
fleet serve
in 
--server_cert
or 
FLEET_SERVER_CERT
.
1
n
ah ok checking now
So two things I noticed after downloading the cert file from the UI i get this error in the UI
And secondly I was able to successfully install the package after using the server.cert in 
FLEET_SERVER_CERT
but the endpoint is not showing up in the fleet UI but it shows as running
A good update for the team we were able to get it successfully installed and showing up in the fleet UI. So I ended up using the server.cert file to generate the package again this time using the private IP addr in the fleetURL and it worked. Thanks for all the help team I appreciate it
👍 2
l
Glad to hear this!
4 Views
Open in Slack
PreviousNext
Powered by