Title
#fleet
c

Chad

08/14/2021, 10:13 AM
Quick question. Does the windows orbit agent work with certificates signed by a trusted authority? I am using a cert issued by AWS, I know its trusted because my browser has no issues accessing the service. When I try run:
.\orbit.exe --fleet-url=<https://host.domain.com:443> --enroll-secret=[Redacted Secret]
I get the following errors which makes me think orbit/osquery doesn't support trusted CAs on windows:
Failed to retrieve system cert pool. Cannot validate Fleet server connection. error="crypto/x509: system root pool is not available on Windows"
...
...
Cannot read TLS server certificate(s): \Program Files\osquery\certs\certs.pem
My understanding is that if I am using a cert signed by a trusted authority then osquery/orbit shouldn't even be looking for certs locally?
Mystery Incorporated

Mystery Incorporated

08/14/2021, 12:42 PM
@Chad I think you'll find joy if you make sure certs.pem contains the CA cert of your cert issued by AWS. When we deploy osquery for fleet, we need to include the certificate hosted by Fleet and the certificate of the CA that signed it, I imagine it'll be same for orbit (just a guess)
12:43 PM
So just paste in the contents of the CA cert PEM and AWS cert PEM together in the one file: --- BEGIN CERT--- skjfdhkajhdjkhjajdajkdj -- END CERT --- --- BEGIN CERT --- dsnsjfnjdzfnjdnjf --- End CERT --- I always put the root CA cert first and then next in chain under it etc etc. No idea if order actually matters tho.
c

Chad

08/14/2021, 3:06 PM
Yeah thanks I know that will work, my question was more specifically why its needed if I am using certs issued by trusted authorities and whether this is an issue with osquery on windows or is by design
zwass

zwass

08/14/2021, 3:29 PM
Things have always been a little trickier on Windows... IIRC osquery does support a range of trusted authorities on Windows. The first error is because Orbit is trying to do a pre-check to see if the cert will be recognized -- it's a non-fatal error but since it's always going to fail on Windows (due to Go stdlib issues) we should probably silence it.