koba
10/13/2020, 7:04 AMZach Zeid
10/13/2020, 3:49 PMCptOfEvilMinions
10/14/2020, 2:40 PMosquery.flags
file have the following flag: --tls_server_certs=
?koba
10/20/2020, 3:59 PMnot secure
warning from browser. So if I choose ACM what sort of changes do I have to make to my current environment?
I'm wondering:-
• Do I have to launch fresh instance of Fleet server with ACM certs? Since the current Fleet server that's running is using my self signed certs and key.
• Do I just start enrolling new hosts with public ACM certs? Without having to relaunching my Fleet server?
Typically, generating the cert somewhere and storing the private key (encrypted) in Parameter Store is a good bet. you then can import the fullchain into ACMSo I can simply import my existing self signed cert into ACM and key in Parameter Store? I guess this mean my LB will start service my self singed certs? But will I get rid or
not secure
browser warning? If not, it would not be any different than simply not using ACM at all (at least for my use case).CptOfEvilMinions
10/20/2020, 4:12 PMosquery endpoint ---- TLS ---> AWS LB with ACM cert --- TLS -- > Kolide Fleet
. If this is correct, Osquery is probably failing because it can’t “verify” the ACM certificate being provided by the LB - which is the endpoint Osquery is connecting too.
To ensure Osquery is verifying the correct certificate please get the value of your --tls_server_certs=
flag from osquery.flags
. Next, cat <filepath of value for tls_server_certs>
(output should be PEM formatted public cert). Next, run openssl s_client -connect <kolide FQDN>:<port> -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM
.
The output from both commands should be the identical. If they are not please make the necessary changes on the endpoint side. Restart Osquery.
If this doesn’t resolve the issue I have some ideas but try this firstZach Zeid
10/20/2020, 4:13 PMfleet serve
with the server certs configured, so probably depending on your setup.koba
10/20/2020, 4:34 PMif I understand your setup correctlyThat's correct. But a little backstory to establish that certificate part is more clear. I had a perfectly working Fleet Server running with self signed certs and I was able to connect my hosts too without any issues. Only problem was I wanted to get rid of browser warning. So I put my Fleet Server behind LB and the warning went away. Of Course the Fleet web console now started serving new ACM cert (was able to see the new ACM cert in browser
view site info
) and when hosts started to fail at enrolment it kind of made sense why.
But since I did not know how to fix this, I removed LB from picture. I'm now back to old osquery endpoint ---> TLS ---> Kolide Fleet
setup.Zach Zeid
10/20/2020, 4:36 PMCptOfEvilMinions
10/20/2020, 4:37 PMZach Zeid
10/20/2020, 4:37 PMfleet serve
with the server cert filepath as a commandline switch (docker on ECS)koba
10/20/2020, 4:38 PM@koba did you run the commands I specified above?yes I did. The output is not same. The second command says:
unable to load certificate
4367269548:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.40.4/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: TRUSTED CERTIFICATE
what kind of LB are you using? I used LE to generate a cert, imported it into ACM, and am using that for our NLB.@Zach Zeid It's an Application LB. And the certs are self signed using
openssl
Zach Zeid
10/20/2020, 4:44 PM