Title
#fleet
l

Luis Teles

11/30/2021, 11:12 AM
Hi everyone πŸ™‚ I'm struggling to get agents to enroll on fleetdm. I'm getting bad record MAC everytime. I've set the address via fleetctl to the server IP, I've generated new installers and new openssl certificates with the correct server IP address, to no avail. I always get "bad record MAC". Any tip? 😞 I've been fighting with this for 4 hours now
l

Leonoor S

11/30/2021, 11:17 AM
How are you creating a certifficate?
l

Luis Teles

11/30/2021, 11:20 AM
openssl genrsa -out /tmp/server.key 4096
openssl req -new -key /tmp/server.key -out /tmp/server.csr
openssl x509 -req -days 366 -in /tmp/server.csr -signkey /tmp/server.key -out /tmp/server.cert
I'm using these commands, taken from here: https://fleetdm.com/docs/deploying/example-deployment-scenarios#fleet-on-ubuntu
l

Leonoor S

11/30/2021, 11:24 AM
What kind of host are you trying to add?
l

Luis Teles

11/30/2021, 11:28 AM
I've tried windows and ubuntu
11:28 AM
* ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: self signed certificate * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html
11:28 AM
Is this because of the self-signed certificate?
11:30 AM
That should not be it since I've configured fleet using this command: fleetctl config set --address httpsπŸ˜•/&lt;IP&gt;:<PORT> --tls-skip-verify
Tomas Touceda

Tomas Touceda

11/30/2021, 12:20 PM
hi Luis, sounds like you haven't set the right hostname for the certificate: https://fleetdm.com/docs/deploying/faq#common-problems
l

Luis Teles

11/30/2021, 1:04 PM
Hi Tomas Thanks for your reply! I'm afraid I have double checked and the hostname is correct
Tomas Touceda

Tomas Touceda

11/30/2021, 1:12 PM
could you share the outputs of the commands you've used to check and the flagfile you're using for your hosts?
r

Ryan

11/30/2021, 2:19 PM
I had this same error and it was with a commercial certificate but I was able to solve the issue by including the entire certificate chain, all intermediates, and the root CA cert, all into the PEM file.
2:20 PM
I wonder if it could be related to that, is your self signed root in the PEM?
l

Luis Teles

12/06/2021, 10:01 AM
Hi all! Sorry for the delay, I was on holidays πŸ™ƒ Here are the commands I used:
openssl genrsa -out /tmp/server.key 4096
openssl req -new -key /tmp/server.key -out /tmp/server.csr
openssl x509 -req -days 366 -in /tmp/server.csr -signkey /tmp/server.key -out /tmp/server.cert
10:01 AM
@Ryan Might not be. I'll check and get back to you! Thanks πŸ˜ƒ
10:59 AM
I finally found the issue!! πŸ₯³ I was missing the "--insecure=true" flag when generating the osquery installer using fleetctl! Thanks all for your help and support πŸ€—
r

Ryan

12/06/2021, 2:23 PM
I think that flag will just disable SSL verification won’t it?
l

Luis Teles

12/07/2021, 3:38 PM
Yep πŸ™‚
3:39 PM
It is required if you're using self-signed certificates