Title
#fleet
mikermcneil

mikermcneil

07/05/2021, 3:36 PM
fleetdm uses TLS certs to make the connection between endpoints (containing the osquery agent).  In the event that the SSL cert changes or renews, is there a way to deploy the new secret.txt and fleet.pem to all the endpoints? or is this a manual process?
Rachel Perkins

Rachel Perkins

07/05/2021, 7:21 PM
If hosts are already enrolled in Fleet, they don't need the secret to be changed. For the SSL cert, if you are manually specifying the cert bundle, you would have to change it. We're going to add this question to the FAQ shortly.
j

Juan Alvarez

07/09/2021, 10:05 AM
For us it worked to add the new cert with the old one in the same file defined in
--tls_server_certs
on the osquery side. After that is done, replace the certificate on the fleet side. Could not figure a better way to do so.