Is it possible to maybe add whatever hostname/ip is specified as the Fleet App URL as a SAN on the fleet.pem that's generated when using fleet preview?

Hi @Heather, I don’t immediately know the answer to your question. What are you trying to achieve with Fleet preview?

I'd like to be able to test with external users using orbit built with a self signed cert - obviously then having the SAN's localhost, docker.internal (?), and 127.0.0.1 is not useful.

test with external users

Ok I think I got it. Are you attempting to try Fleet by managing external devices (users) using the fleet preview environment? Orbit is still a bit over my head, so I’m going to phone in @zwass to help out on this use case.

fleetctl preview

doesn't actually generate a certificate... It just uses the existing self-signed cert with those SANs. It's all optimized for the quickest possible set up of a preview environment running locally.

host.docker.internal

is what the Dockerized osquery containers use to connect, hence that SAN. The easiest way to expose the preview environment to external hosts would be to use something like ngrok (https://ngrok.com/), the free version works fine to serve a local port over a public IP with a legit SSL cert. You could also replace the configuration in

~/.fleet/preview

with your own certificate and whatever arguments you'd like to run the server with, then use

docker-compose

to start everything up as needed.