Does the `FLEET SERVER CERT` config only accept paths to the

Question

Does the `FLEET SERVER CERT` config only accept paths to the cert Does it also accept the full cert itself set in the ENV var Heroku does not allow persist files in their directory I think so it is not possible to put it into a path

zwass · Answer

It expects the path to the cert For deploying on Heroku I d think you might want to have Heroku terminate TLS and run Fleet with `FLEET SERVER TLS=FALSE`

zwass · Answer

Alternatively maybe you could do something like `echo $CERT VALUE gt cert pem amp amp fleet serve`

Mo Zhu · Answer

If I do FLEET SERVER TLS=FALSE then i ll lose the security between the osqueryd and the fleet back end

Mo Zhu · Answer

If I do the echo approach that would go in the Procfile

zwass · Answer

echo approach would go in the procfile yeah

zwass · Answer

Turning off TLS on the Fleet server would only work if Heroku can terminate TLS which is very common to do with a load balancer

zwass · Answer

It s a bit hard to tell from the <https devcenter heroku com articles ssl|Heroku docs> but I think you d just be able to turn on SSL on Heroku and leave it off on the Fleet server This would effectively have Heroku terminating TLS like a load balancer

Mo Zhu · Answer

yeah I think all requests to a heroku server gets put through their load balancer

Mo Zhu · Answer

cool I will try that

zwass · Answer

I suspect their load balancer would then send plain HTTP requests to the Fleet server If that s the case you can turn off the TLS termination in Fleet

Mo Zhu · Answer

yup that s exactly it

zwass · Answer

That s how most of our reference implementations work