koba
07/21/2020, 8:28 AMFailed enrollment request to <https://something.com/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying
.
I'm following FAQs to make sure I don't miss anything. Here is what i get when I curl the enroll endpoint.
❯ curl -v -X POST <https://something.com:443/api/v1/osquery/enroll>
* Trying 13.234.113.134...
* TCP_NODELAY set
* Connected to <http://osquery.lalaland.com|osquery.lalaland.com> (13.234.113.134) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: <https://curl.haxx.se/docs/sslcerts.html>
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
sundsta
07/21/2020, 6:18 PM--tls-server-certs
flag. See https://osquery.readthedocs.io/en/stable/installation/cli-flags/koba
07/22/2020, 4:40 AM.pem
path in --tls-server-certs
(The pem file downloaded form fleet web UI). I also cross checked that the fleet FQDN matches the CN in the .pem
file. But I still can't enroll my client on fleet server.
One thing I noticed is that openssl appends the email
to the FQDN so the final CN in the certificate is CN=<https://myfqdn/emailAddress=myemailid>
I hope that has nothing to do with the certificate failing to verify?DG
07/23/2020, 5:39 PMtkrabec
08/13/2020, 1:51 PMkoba
08/15/2020, 5:10 PM