Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Tony N
02/25/2020, 9:15 PMHi, I have a quick question regarding connecting a workstation to a Fleet server. I've setup my "flags" file and am pointing to the shared secret, the TLS certificate, and the IP address of the server. However, when I run the osqueryd app I get the following error:
cpp:108] Cannot read TLS server certificate(s): "c:\Program Files\osquery\kolide.pem"
Any thoughts on what I'm missing? Does the certificate file have to have a certain format?
z
zwass
02/25/2020, 9:41 PMDoes the file exist? Does osqueryd have permissions to read it? The file should be in a normal PEM format.
t
Tony N
02/25/2020, 9:54 PMYes the file is there. You bring up a good question regarding permissions. I'm assuming that it does, but I'll double check. I was just wondering if there was also a certain encoding issue that I might be running into. I'm just using "Notepad" which normally uses UTF-8 encoding.
What would be the best way to check on those permissions?
Here is the readout when I use "--verbose"
C:\Windows\system32>osqueryd.exe --verbose --flagfile="C:\Program Files\osquery\osquery.flags"
I0225 14:56:55.412991 492 init.cpp:340] osquery initialized [version=4.2.0]
I0225 14:56:55.450927 492 system.cpp:330] Found stale process for osqueryd (2676)
I0225 14:56:55.450927 492 system.cpp:362] Writing osqueryd pid (1544) to \Program Files\osquery\osqueryd.pidfile
I0225 14:56:55.473908 492 extensions.cpp:349] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load
I0225 14:56:55.473908 5492 watcher.cpp:583] osqueryd watcher (1544) executing worker (5436)
I0225 14:56:55.521196 4764 init.cpp:337] osquery worker initialized [watcher=1544]
I0225 14:56:55.521196 4764 rocksdb.cpp:131] Opening RocksDB handle: \Program Files\osquery\osquery.db
I0225 14:56:55.599743 4764 tls_enroll.cpp:69] TLSEnrollPlugin requesting a node enroll key from: https://192.168.1.10:8080/api/v1/osquery/enroll
I0225 14:56:55.599743 5672 interface.cpp:268] Extension manager service starting: \\.\pipe\osquery.em
I0225 14:56:55.599743 4764 system.cpp:289] Using host identifier: D8F242BE-9FA7-4402-9736-6E4A3169205D
Thrift: Tue Feb 25 14:56:55 2020 Client connected.
Thrift: Tue Feb 25 14:56:55 2020 Client connected.
Thrift: Tue Feb 25 14:56:55 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Thrift: Tue Feb 25 14:56:55 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Thrift: Tue Feb 25 14:56:55 2020 TConnectedClient died: TPipe: GetOverlappedResult failed
Thrift: Tue Feb 25 14:56:55 2020 TConnectedClient died: TPipe: GetOverlappedResult failed
I0225 14:56:56.693370 4764 tls.cpp:253] TLS/HTTPS POST request to URI: https://192.168.1.10:8080/api/v1/osquery/enroll
W0225 14:56:56.693370 4764 tls.cpp:100] Cannot read TLS server certificate(s): "c:\Program Files\osquery\kolide.pem"
W0225 14:56:57.052332 4764 tls_enroll.cpp:76] Failed enrollment request to https://192.168.1.10:8080/api/v1/osquery/enroll (Request error: certificate verify failed) retrying...
z
zwass
02/26/2020, 2:19 AMIt seems pretty clear that osquery can't read the file. You'll need to figure out why that is. Could be permissions. Could be encoding.
t
Tony N
02/26/2020, 10:29 PMWell I'm at a loss then at this point. I've provided the certificate that's associated with the Fleet server, and the shared secret. I've even copied over the cert. file that works with my Ubuntu 18.04 workstation and still the server won't read the TLS cert file. I'm assuming its the correct format, its a ".pem" file which works in Ubuntu. Just don't understand why it won't work on the Windows box.
d
Display name
03/03/2020, 3:49 PMHi Tony -- total shot-in-the-dark, but IIR, I think I had some issues with Windows hosts if I had Windows-style line endings (CRLF) instead of Unix style (LF) in config files. I'm wondering it it's the same for the pem file? It's fully possible I'm mis-remembering or this has changed in an updated version of Osquery, but since you said you used Notepad, I thought I'd mention it.
t
Tony N
03/03/2020, 4:06 PMThank you @Display name for the idea. I'll have to go and take a look. I thought that I had directly copied over the PEM file from the server itself, but I've also just copied the certificate info over and pasted it into notepad. For my flag file I ensured that there were no extra spaces for each line which definitely helped, and it seems like osquery is accepting the file, but when it comes to reading the certificate file, it just doesn't like it. I'll keep you posted on my troubleshooting.