Quick question. Does the windows orbit agent work with certificates signed by a trusted authority? I am using a cert issued by AWS, I know its trusted because my browser has no issues accessing the service. When I try run:

.\orbit.exe --fleet-url=<https://host.domain.com:443> --enroll-secret=[Redacted Secret]

I get the following errors which makes me think orbit/osquery doesn't support trusted CAs on windows:

Failed to retrieve system cert pool. Cannot validate Fleet server connection. error="crypto/x509: system root pool is not available on Windows"
...
...
Cannot read TLS server certificate(s): \Program Files\osquery\certs\certs.pem

My understanding is that if I am using a cert signed by a trusted authority then osquery/orbit shouldn't even be looking for certs locally?

@Chad I think you'll find joy if you make sure certs.pem contains the CA cert of your cert issued by AWS. When we deploy osquery for fleet, we need to include the certificate hosted by Fleet and the certificate of the CA that signed it, I imagine it'll be same for orbit (just a guess)

Yeah thanks I know that will work, my question was more specifically why its needed if I am using certs issued by trusted authorities and whether this is an issue with osquery on windows or is by design

Things have always been a little trickier on Windows... IIRC osquery does support a range of trusted authorities on Windows. The first error is because Orbit is trying to do a pre-check to see if the cert will be recognized -- it's a non-fatal error but since it's always going to fail on Windows (due to Go stdlib issues) we should probably silence it.