https://github.com/osquery/osquery logo
Powered by
Title
e

E-Dawg

10/14/2020, 6:31 PM
Hello. Happy hump day! I am running fleet on Ubuntu 20.04, and have set it up according to: https://github.com/kolide/fleet/blob/master/docs/infrastructure/fleet-on-ubuntu.md On the same local network, I am trying to add a host running MacOS Catalina. OSQuery is confirmed to work locally on the mac via 
osqueri
. I can connect to the web interface from both machines. I have the Enroll Secret on the mac in 
/etc/osquery/enrollment_secret
I have downloaded the server.pem certificate onto the mac, and copied it to 
/var/osquery/server.pem
, also I have added it to the System in Keychain Access and set to Always Trust I am attempting to enroll from the mac with this command: 
sudo osqueryd --enroll_secret_path=/etc/osquery/enrollment_secret --tls_server_certs=/var/osquery/server.pem --tls_hostname=192.168.1.115:8080 --host_identifier=elliott_macbookpro --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10
When I run that, I get the following error: 
W1014 14:15:37.995653 377294272 tls_enroll.cpp:76] Failed enrollment request to <https://192.168.1.115:8080/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying...
The server stdout shows: 
2020/10/14 14:15:37 http: TLS handshake error from 192.168.1.104:54237: local error: tls: bad record MAC
Any pointers as to how to get the handshake to succeed?
s

sundsta

10/14/2020, 7:16 PM
bad record MAC
would indicate the data has been tampered with or corrupted in some way. See https://github.com/googleapis/google-cloud-go/issues/1581#issuecomment-531817165
e

E-Dawg

10/14/2020, 7:25 PM
hmm, so is it likely that Ubuntu is using a different version of TLS than the Mac?
I'm sorry, I'm having trouble grasping the implications of that comment.
I'm not sure what could be corrupting the data between 2 machines on my home network.
k

kentd

10/14/2020, 8:48 PM
MAC in this particular context probably refers to this part of the network stack https://en.wikipedia.org/wiki/Medium_access_control and not your device. What it implies is relatively well described in the issue that was linked in sundsta’s response, though what exactly causes this issue on your network is not something I’ve got any idea about!
e

E-Dawg

10/14/2020, 9:33 PM
I wonder how I would find out. (sorry that I'm such a noob)
s

sundsta

10/14/2020, 11:01 PM
Since the error is prefaced by 
tls
, it more likely refers to the TLS Message Authentication Code (aka checksum). See the 
MAC
heading here https://www.acunetix.com/blog/articles/tls-ssl-terminology-basics-part-3
z

zwass

10/15/2020, 3:55 PM
Another Fleet user reported fixing these issues by fixing the FQDN in the generated cert: https://github.com/kolide/fleet/pull/2331/files
y

ytonui

10/23/2020, 11:35 AM
You also need to chain the certs ala https://waal70blog.wordpress.com/2017/02/15/create-a-self-signed-ssl-certificate-chain/
#kolideJoin Slack
Powered by