Chad
08/24/2021, 6:20 AMTomas Touceda
08/24/2021, 2:00 PMMystery Incorporated
08/24/2021, 2:40 PMChad
08/25/2021, 12:55 AMRequest error: certificate verify failed
error. Things I have tried:
1. I have tried both AWS ACM certs and LetsEncrypt certs
2. I have tried without specifying --tls_server_certs
as well as providing the entire LE cert chain
3. I have confirmed that the certificate is valid and accessible with curl
4. I have confirmed the CName matches the DNS name
5. I have confirmed there are not network issues as orbit with --insecure
flag works
I am using the osqueryd packaged with orbit, is this modified in anyway from the original binary?Mystery Incorporated
08/25/2021, 4:03 AMzwass
08/25/2021, 3:30 PMcurl -vv --cacert fleet.pem <https://localhost:8080>
(replacing the cert path and URL as appropriate)?Chad
08/26/2021, 8:40 AMcurl -vv --cacert AWSCA.pem <https://devices.mydomain.com>
* Trying xx.xx.xx.xx:443...
* TCP_NODELAY set
* Connected to <http://devices.mydomain.com|devices.mydomain.com> (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: AWSCA.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=<http://devices.mydomain.com|devices.mydomain.com>
* start date: Aug 26 00:00:00 2021 GMT
* expire date: Sep 24 23:59:59 2022 GMT
* subjectAltName: host "<http://devices.mydomain.com|devices.mydomain.com>" matched cert's "<http://devices.mydomain.com|devices.mydomain.com>"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55fb02dd9860)
Managed to troubleshoot that osquery isn't using the computer cert store at all (for both mac and windows). So manually pointing osquery to the devices cert store resolved the issue. Not sure if this is just an issue on my end, but if not it would be helpful to update the docs to clarify this (in both osquery and orbit).
Created a PR to add --fleet-certificate
flag for the windows orbit agent and fixed a bug in building agents on linux.