Title
#kolide
c

christran

08/26/2020, 8:59 AM
Hi! I have a question. I'm building Kolide fleet with topology belows Im using HAproxy + kolidefleet. On kolide fleet I setup with no tls (--server_tls=false). And on Haproxy I use Let's encrypt cert for domain of Lets encrypt and use this cert for client authorize. But when client connect with fleet via domain or IP of haproxy, I recived thi log 2608 tls_enroll.cpp:76] Failed enrollment request to https://domain.fleet/api/v1/osquery/enroll (Request error: certificate verify failed) retrying... Anyone can resolve it ?
s

seph

08/26/2020, 12:47 PM
Well, “certificate verify failed” seems pretty clear…. Does it work from curl? What is
/var/osquery/server.pem
I think that should be a bundle of CA certificates, not the server cert directly.
c

christran

08/27/2020, 4:23 AM
curl -v -X POST <https://domain/api/v1/osquery/enroll>
*   Trying IP...
* TCP_NODELAY set
* Connected to domain (IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=domain
*  start date: Aug 26 07:33:12 2020 GMT
*  expire date: Nov 24 07:33:12 2020 GMT
*  subjectAltName: host "domain" matched cert's "domain"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> POST /api/v1/osquery/enroll HTTP/1.1
> Host: domain
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 500 Internal Server Error
< Date: Thu, 27 Aug 2020 04:19:51 GMT
< Content-Length: 108
< Content-Type: text/plain; charset=utf-8
<
{
  "message": "Unknown Error",
  "errors": [
    {
      "name": "base",
      "reason": "EOF"
    }
  ]
}
* Connection #0 to host domain left intact
4:24 AM
I have tried