Title
#kolide
c

crimsonknave

04/07/2020, 6:49 PM
👋 I'm looking for help enrolling osquery agents into fleet via TLS client certificates. I filed https://github.com/kolide/fleet/issues/2208 a few weeks ago as directed in https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md, but haven't heard anything.
d

DG

04/07/2020, 7:28 PM
I know little - but decided to toss something that someone could correct me later on - in the tls common there is an integer that specifies how the server should behave
7:28 PM
type ClientAuthType int ClientAuthType declares the policy the server will follow for TLS Client Authentication. const ( NoClientCert ClientAuthType = iota RequestClientCert RequireAnyClientCert VerifyClientCertIfGiven RequireAndVerifyClientCert )
7:28 PM
that enumeration list on ClientAuthType is taken from the go version -> src/pkg/crypto/tls/common.go
zwass

zwass

04/07/2020, 7:45 PM
I replied to your issue there.
d

DG

04/07/2020, 7:46 PM
So never found that file, went to mysql checked a few tables and not saved in DB as far as i can tell.. so I am glad someone else understands this better : )
7:48 PM
That suggestion of a proxy is a really good option - enough trying to help for me, back to lunch. Thank you @zwass was curious of the answer.
zwass

zwass

04/07/2020, 7:48 PM
If someone sets it up using a proxy, please blog about it so we can all learn!
c

crimsonknave

04/07/2020, 7:56 PM
Thanks, I'll take a look and see if it's worth it to set the proxy up.
defensivedepth

defensivedepth

04/07/2020, 7:56 PM
I think you could setup the client auth with nginx somewhat easily (https://jason.whitehorn.us/blog/2019/02/01/client-certificate-auth-with-nginx/), and then reverse proxy it to Fleet --> https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/
c

crimsonknave

04/07/2020, 7:56 PM
It might make sense to update the doc that says to file an issue and just note that it's not supported at this time.
defensivedepth

defensivedepth

04/07/2020, 7:58 PM
btw, I never trust someone who says you can do it "this way, its easy!" ---> It never ends up being "easy" 😉
zwass

zwass

04/07/2020, 8:00 PM
Put up a PR to update the docs.
d

DG

04/07/2020, 8:10 PM
See i was thinking the $$ money way - F5 + APM or iRule
8:11 PM
I like when open source leads to open source and the community as a whole is enriched. Been loving those in these slacks