Chad08/24/2021, 6:20 AM
Tomas Touceda08/24/2021, 2:00 PM
Mystery Incorporated08/24/2021, 2:40 PM
Chad08/25/2021, 12:55 AM
error. Things I have tried: 1. I have tried both AWS ACM certs and LetsEncrypt certs 2. I have tried without specifying
Request error: certificate verify failed
as well as providing the entire LE cert chain 3. I have confirmed that the certificate is valid and accessible with
4. I have confirmed the CName matches the DNS name 5. I have confirmed there are not network issues as orbit with
flag works I am using the osqueryd packaged with orbit, is this modified in anyway from the original binary?
Mystery Incorporated08/25/2021, 4:03 AM
zwass08/25/2021, 3:30 PM
(replacing the cert path and URL as appropriate)?
curl -vv --cacert fleet.pem <https://localhost:8080>
Chad08/26/2021, 8:40 AM
Managed to troubleshoot that osquery isn't using the computer cert store at all (for both mac and windows). So manually pointing osquery to the devices cert store resolved the issue. Not sure if this is just an issue on my end, but if not it would be helpful to update the docs to clarify this (in both osquery and orbit). Created a PR to add
curl -vv --cacert AWSCA.pem <https://devices.mydomain.com> * Trying xx.xx.xx.xx:443... * TCP_NODELAY set * Connected to <http://devices.mydomain.com|devices.mydomain.com> (xx.xx.xx.xx) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: AWSCA.pem CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=<http://devices.mydomain.com|devices.mydomain.com> * start date: Aug 26 00:00:00 2021 GMT * expire date: Sep 24 23:59:59 2022 GMT * subjectAltName: host "<http://devices.mydomain.com|devices.mydomain.com>" matched cert's "<http://devices.mydomain.com|devices.mydomain.com>" * issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x55fb02dd9860)
flag for the windows orbit agent and fixed a bug in building agents on linux.