Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
Ryan
08/26/2021, 1:48 PMHi there! We had to renew our wildcard certificate used by Fleet and osquery, but I'm struggling to get it to work with Fleet. The issuer changed and also we've gone from a SHA-256 cert to SHA-384 cert, I wonder if that might be a problem? I don't think so, looking at the Intermediate Mozilla cert docs (we're using
tls_compatibility: intermediateFailed enrollment request to https://blabla (Request error: certificate verify failed) retrying...The PEM bundle we're using works in other software, for example, we're using it in Nginx absolutely fine. Does anyone have any suggestions what we can try?
update: i managed to get this to work again by rebuilding the PEM bundle to include every cert in the chain including the root CA certificate
this wasn't needed for other software so I'm not sure, maybe osquery/fleet has it's own root CA list and ours wasn't in there?
anyway I'll roll this out to all hosts and see if they all start working again
👍
z
zwass
08/26/2021, 4:58 PMAh, I believe that is an osquery requirement.
👍 1
r
Ryan
08/26/2021, 5:00 PMyeah must be!
anyway I should've thought to put the root cert in the bundle earlier
😄