Title
#fleet
j

jake

09/05/2021, 2:26 AM
After many days of struggling, I finally got was able to get FleetDM deployed utilizing Traefik with Let's Encrypt Certs for the Web UI and using GRPC Load balancer for the API. Same domain name for both, use port 443 mapped to any port that you set Fleet too.
Mystery Incorporated

Mystery Incorporated

09/05/2021, 8:12 AM
@jake How are you going to make sure your agents get the new LE cert every 3 months to communicate over GRPC using LE cert for auth? (Fleet.pem given to osquery to auth, that's going to change every 3 months if you're using an LE cert and will need to be pushed to all your agents)
j

jake

09/05/2021, 10:46 AM
I created a self signed cert that's good for 3 years. Fleet utilizes the Self Signed Cert. Traefik only serves the Web UI with Let's Encrypt, the fleet agents themselves are Grpc load balanced so it connects to the reverse proxy and authtecate utilizing the self signed cert.
Mystery Incorporated

Mystery Incorporated

09/05/2021, 11:25 AM
Gotcha, ok yea that’s what I do as well with the certs, thought maybe yoy had a neat trick to keep an LE cert updated for agents.