Title
#kolide
Erich Stoekl

Erich Stoekl

04/08/2020, 6:30 PM
Hi Folks. When deploying Fleet behind a load balancer, does each Fleet server need to use its own CRT and KEY files? I'm thinking the TLS Termination will be done at the load balancer, then just forward unencrypted traffic to the Fleet server
sundsta

sundsta

04/08/2020, 6:38 PM
Depends how you configure the LB. It can either pass through or terminate and then connect.
6:39 PM
Of course, if you have the LB terminate the TLS you need to set Fleet’s server_tls=false (see https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md#server_tls)
SK

SK

04/08/2020, 6:45 PM
If you do not terminate on the LB you will need the same cert files on all the servers.
zwass

zwass

04/08/2020, 7:35 PM
You actually might not need the same cert on each server, as long as each cert can be validated by osquery. That said, I would typically use the same cert on each server. Or do as @sundsta says and terminate at the LB.
Erich Stoekl

Erich Stoekl

04/08/2020, 7:52 PM
Thanks all!
11:25 PM
@zwass Another question on this topic -- how do you have osquery validate multiple certs? I now have a situation where my fleet server uses self-signed certs, and my LB uses its own certs
sundsta

sundsta

04/25/2020, 12:01 AM
@Erich Stoekl osquery would only talk to the LB, so it only needs the LB’s certs
Erich Stoekl

Erich Stoekl

04/27/2020, 2:35 AM
@sun-77 thanks for your reply. I have fleet set up with its own certs, and the LB with its own certs. I can access the web portal for fleet, and my osquery nodes connect, but I am unable to schedule queries against the osquery nodes. That's why I'm wondering if it's possible to tell osquery that there are multiple certs involved
sundsta

sundsta

04/27/2020, 3:14 AM
If the LB is terminating TLS as you described, that is the only cert osquery needs to know about. If the LB initiates another TLS connection to the Fleet nodes, that is between the LB and the nodes and the osquery agent isn't involved in that at all. With all of that said, if the agents are connecting and enrolling there isn't a certificate issue.
Erich Stoekl

Erich Stoekl

04/28/2020, 12:43 AM
@sundsta thanks. They're enrolling (at least I think they are, the agents show up as green in the web UI for fleet), but I cannot run queries against them. Is there a way to debug this situation?
12:45 AM
The osquery nodes enroll when they have the public key that the LB is using. So it kind of makes sense to me that Fleet can't run queries against the osquery nodes... the Fleet server can't tell that they are using the correct certs, because the fleet server doesn't know about the LB cert
sundsta

sundsta

04/28/2020, 1:12 AM
This is a pull, not push, scenario.
osqueryd
reaches out to Fleet periodically for the latest configuration which all routes through the same LB that the enroll API call does
1:16 AM
If I remember correctly, you are filtering out some API routes in order to ensure the admin panel is not accessible from the internet. You will want to double check that is not blocking requests to the config API
1:16 AM
Also, your load balancer logs should indicate what is happening when it receives the connections from osqueryd
Erich Stoekl

Erich Stoekl

04/28/2020, 4:23 PM
Thanks, I'll check that