Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
e
Erich Stoekl
04/08/2020, 6:30 PMHi Folks. When deploying Fleet behind a load balancer, does each Fleet server need to use its own CRT and KEY files? I'm thinking the TLS Termination will be done at the load balancer, then just forward unencrypted traffic to the Fleet server
s
sundsta
04/08/2020, 6:38 PMDepends how you configure the LB. It can either pass through or terminate and then connect.
Of course, if you have the LB terminate the TLS you need to set Fleet’s server_tls=false (see https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md#server_tls)
s
SK
04/08/2020, 6:45 PMIf you do not terminate on the LB you will need the same cert files on all the servers.
z
zwass
04/08/2020, 7:35 PMYou actually might not need the same cert on each server, as long as each cert can be validated by osquery. That said, I would typically use the same cert on each server. Or do as @sundsta says and terminate at the LB.
e
Erich Stoekl
04/08/2020, 7:52 PMThanks all!
@zwass Another question on this topic -- how do you have osquery validate multiple certs? I now have a situation where my fleet server uses self-signed certs, and my LB uses its own certs
s
sundsta
04/25/2020, 12:01 AM@Erich Stoekl osquery would only talk to the LB, so it only needs the LB’s certs
e
Erich Stoekl
04/27/2020, 2:35 AM@sun-77 thanks for your reply. I have fleet set up with its own certs, and the LB with its own certs. I can access the web portal for fleet, and my osquery nodes connect, but I am unable to schedule queries against the osquery nodes. That's why I'm wondering if it's possible to tell osquery that there are multiple certs involved
s
sundsta
04/27/2020, 3:14 AMIf the LB is terminating TLS as you described, that is the only cert osquery needs to know about. If the LB initiates another TLS connection to the Fleet nodes, that is between the LB and the nodes and the osquery agent isn't involved in that at all. With all of that said, if the agents are connecting and enrolling there isn't a certificate issue.
e
Erich Stoekl
04/28/2020, 12:43 AM@sundsta thanks. They're enrolling (at least I think they are, the agents show up as green in the web UI for fleet), but I cannot run queries against them. Is there a way to debug this situation?
The osquery nodes enroll when they have the public key that the LB is using. So it kind of makes sense to me that Fleet can't run queries against the osquery nodes... the Fleet server can't tell that they are using the correct certs, because the fleet server doesn't know about the LB cert
s
sundsta
04/28/2020, 1:12 AMThis is a pull, not push, scenario.
osquerydIf I remember correctly, you are filtering out some API routes in order to ensure the admin panel is not accessible from the internet. You will want to double check that is not blocking requests to the config API
Also, your load balancer logs should indicate what is happening when it receives the connections from osqueryd
e
Erich Stoekl
04/28/2020, 4:23 PMThanks, I'll check that