https://github.com/osquery/osquery logo
Title
a

abraham linkolan

03/21/2021, 1:03 PM
Hi guys, my agents seem to not trust the server's certificate (
Failed enrollment to https://<address>/api/v1/osquery/enroll (Request error: certificate verify failed)
), even though it is signed by our organization's CA. When I access the web UI through Chrome, for example, it says "secure", which means the certificate is OK. Any ideas?
c

CptOfEvilMinions

03/22/2021, 3:30 PM
Ensure that the common name set in the TLS cert matches the FQDN of the server in your flags file:
--tls_hostname=<TLS FQDN>
. Also does your Osquery flags file contain a
--tls_server_certs=<file path to cert>
a

abraham linkolan

04/06/2021, 11:05 AM
Hey, thanks for the response! Both of those flags are set correctly, any other ideas?
c

CptOfEvilMinions

04/06/2021, 2:46 PM
You should be able to debug the issue by using OpenSSL. First, try
openssl s_client -CApath <file path to cert> -connect <Fleet FQDN>:<port>
.