Kathy Satterlee
03/10/2022, 8:55 PMC:\Temp\osqueryconf\
and now we see the client trying to communicate with Fleet when running: "C:\Program Files\osquery\osqueryd\osqueryd.exe" --flagfile="C:\Temp\osqueryconf\osquery.flags" --verbose --tls_dump
To me this validates that the service was in fact skipping the flags file. Progress! However, we are now getting an enrollment error –
<https://fleet.xxxx.net:443/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...
{
"error": "enroll failed: no matching secret found",
"node_invalid": true
}
We’ve triple checked the enroll secret value (which I took straight from Fleet), checked for whitespace, etc but to no avail. Here’s what the error on Fleet’s side looks like:
2022-03-10T19:54:06.128619+00:00 <http://xxxx.xxxx.net|xxxx.xxxx.net> fleet: {"component":"service","err":"enroll failed: no matching secret found","host_identifier":"xx-xx-xx-xx-xx","ip_addr":"xxx.x.x.x:xxxxx","level":"info","method":"EnrollAgent","took":"1.789708ms","ts":"2022-03-10T19:54:06.128302224Z","x_for_ip_addr":"xx.xxx.xx.x"}
--enroll_secret_path
flag and let me know if that changes things for you?Benjamin Edwards
03/10/2022, 8:59 PM--enroll_secret_path
use the env var flag:
--enroll_secret_env=ENROLL_SECRET
and then set ENROLL_SECRET=foobarsecret
via
set ENROLL_SECRET=foobarsecret
Dan Achin
03/10/2022, 9:18 PMKathy Satterlee
03/10/2022, 10:00 PM