Title
#fleet
c

Collin

02/16/2021, 10:45 PM
Am I correct in thinking that adding MacOS host to Fleet requires a TLS Cert trusted by the Mac, regardless of if it’s build with the launcher or otherwise?
zwass

zwass

02/16/2021, 10:57 PM
No, you can use any cert as long as the CN or SAN matches with
--server_tls_certs
in osquery.
11:22 PM
With Launcher I believe you can package the cert to achieve similar.
c

Collin

02/16/2021, 11:23 PM
Yeah, new to fleet, so it’s still using the in-box *.your-server.de cert, which obviously doesn’t have the server name in the CN or SAN
zwass

zwass

02/16/2021, 11:24 PM
Yeah, typically it makes sense to generate a self-signed cert with the matching CN/SAN and then use the
--server_tls_certs
option.
11:25 PM
Or if you are really in early testing you can use
--insecure
with Launcher.
c

Collin

02/16/2021, 11:25 PM
The --insecure flag didn’t seem to make a difference, fwiw.
zwass

zwass

02/16/2021, 11:26 PM
--insecure_transport
maybe? I can't remember why those are separate nor which is the correct to use in this scenario
c

Collin

02/16/2021, 11:28 PM
Probably easier just to make the self-signed certificate, then.