Hello. Happy hump day! I am running fleet on Ubunt...
# kolide
Hello. Happy hump day! I am running fleet on Ubuntu 20.04, and have set it up according to: https://github.com/kolide/fleet/blob/master/docs/infrastructure/fleet-on-ubuntu.md On the same local network, I am trying to add a host running MacOS Catalina. OSQuery is confirmed to work locally on the mac via
. I can connect to the web interface from both machines. I have the Enroll Secret on the mac in
I have downloaded the server.pem certificate onto the mac, and copied it to
, also I have added it to the System in Keychain Access and set to Always Trust I am attempting to enroll from the mac with this command:
Copy code
sudo osqueryd --enroll_secret_path=/etc/osquery/enrollment_secret --tls_server_certs=/var/osquery/server.pem --tls_hostname= --host_identifier=elliott_macbookpro --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10
When I run that, I get the following error:
Copy code
W1014 14:15:37.995653 377294272 tls_enroll.cpp:76] Failed enrollment request to <> (Request error: certificate verify failed) retrying...
The server stdout shows:
Copy code
2020/10/14 14:15:37 http: TLS handshake error from local error: tls: bad record MAC
Any pointers as to how to get the handshake to succeed?
bad record MAC
would indicate the data has been tampered with or corrupted in some way. See https://github.com/googleapis/google-cloud-go/issues/1581#issuecomment-531817165
hmm, so is it likely that Ubuntu is using a different version of TLS than the Mac?
I'm sorry, I'm having trouble grasping the implications of that comment.
I'm not sure what could be corrupting the data between 2 machines on my home network.
MAC in this particular context probably refers to this part of the network stack https://en.wikipedia.org/wiki/Medium_access_control and not your device. What it implies is relatively well described in the issue that was linked in sundsta’s response, though what exactly causes this issue on your network is not something I’ve got any idea about!
I wonder how I would find out. (sorry that I'm such a noob)
Since the error is prefaced by
, it more likely refers to the TLS Message Authentication Code (aka checksum). See the
heading here https://www.acunetix.com/blog/articles/tls-ssl-terminology-basics-part-3
Another Fleet user reported fixing these issues by fixing the FQDN in the generated cert: https://github.com/kolide/fleet/pull/2331/files