Title
#fleet
Justin Bowen

Justin Bowen

03/12/2021, 7:04 PM
I just tried to launch the latest OSQuery in box and it never generated fleet.crt / fleet.key , and I can't seem to get OSQuery to accept a self signed cert on fleet (this is for testing) , any ideas?
zwass

zwass

03/12/2021, 7:05 PM
Those cert files are in the
osquery
directory. Does that help?
Justin Bowen

Justin Bowen

03/12/2021, 7:06 PM
Right, I generated them
7:06 PM
But for the moment, they are just self signed
7:06 PM
Can I get osquery to allow with self signed?
zwass

zwass

03/12/2021, 7:07 PM
Yes, use the
--tls_server_certs
flag with osquery.
Justin Bowen

Justin Bowen

03/12/2021, 7:11 PM
zwass

zwass

03/12/2021, 7:14 PM
Probably need a
sudo
there, or else configure a different path for the pidfile
Justin Bowen

Justin Bowen

03/12/2021, 7:20 PM
I was calling out the cert verify failed error to be specific
zwass

zwass

03/12/2021, 7:34 PM
That was before or after using
--tls_server_certs
flag?
Justin Bowen

Justin Bowen

03/12/2021, 9:40 PM
after
9:41 PM
I used the Fleet UI instructions for adding a client
9:42 PM
so i used the flagfile , server pem, and secret files it has you download then try to run it
zwass

zwass

03/12/2021, 10:59 PM
Can you paste the flagfile it gave you please?
spookerlabs

spookerlabs

03/12/2021, 11:25 PM
@Justin Bowen this could be FQDN problem. How did you create your certificate ? Some name and now using IP as hostname ? Could be the issue.
Justin Bowen

Justin Bowen

03/12/2021, 11:36 PM
ahh that would make sense
11:36 PM
yes I used the ip address
zwass

zwass

03/12/2021, 11:37 PM
Yeah that is likely the issue
11:37 PM
If you generate a cert with matching IP SANs it will work.
Justin Bowen

Justin Bowen

03/12/2021, 11:37 PM
Copy, ill work on that
zwass

zwass

03/12/2021, 11:42 PM
Or for a quick test you can always make an
/etc/hosts
entry
Justin Bowen

Justin Bowen

03/12/2021, 11:52 PM
That's the plan, thanks!