Title
#kolide
t

Tony N

02/25/2020, 9:15 PM
Hi, I have a quick question regarding connecting a workstation to a Fleet server. I've setup my "flags" file and am pointing to the shared secret, the TLS certificate, and the IP address of the server. However, when I run the osqueryd app I get the following error: cpp:108] Cannot read TLS server certificate(s): "c:\Program Files\osquery\kolide.pem" Any thoughts on what I'm missing? Does the certificate file have to have a certain format?
zwass

zwass

02/25/2020, 9:41 PM
Does the file exist? Does osqueryd have permissions to read it? The file should be in a normal PEM format.
t

Tony N

02/25/2020, 9:54 PM
Yes the file is there. You bring up a good question regarding permissions. I'm assuming that it does, but I'll double check. I was just wondering if there was also a certain encoding issue that I might be running into. I'm just using "Notepad" which normally uses UTF-8 encoding.
9:55 PM
What would be the best way to check on those permissions?
9:58 PM
Here is the readout when I use "--verbose" C:\Windows\system32>osqueryd.exe --verbose --flagfile="C:\Program Files\osquery\osquery.flags" I0225 14:56:55.412991 492 init.cpp:340] osquery initialized [version=4.2.0] I0225 14:56:55.450927 492 system.cpp:330] Found stale process for osqueryd (2676) I0225 14:56:55.450927 492 system.cpp:362] Writing osqueryd pid (1544) to \Program Files\osquery\osqueryd.pidfile I0225 14:56:55.473908 492 extensions.cpp:349] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load I0225 14:56:55.473908 5492 watcher.cpp:583] osqueryd watcher (1544) executing worker (5436) I0225 14:56:55.521196 4764 init.cpp:337] osquery worker initialized [watcher=1544] I0225 14:56:55.521196 4764 rocksdb.cpp:131] Opening RocksDB handle: \Program Files\osquery\osquery.db I0225 14:56:55.599743 4764 tls_enroll.cpp:69] TLSEnrollPlugin requesting a node enroll key from: https://192.168.1.10:8080/api/v1/osquery/enroll I0225 14:56:55.599743 5672 interface.cpp:268] Extension manager service starting: \.\pipe\osquery.em I0225 14:56:55.599743 4764 system.cpp:289] Using host identifier: D8F242BE-9FA7-4402-9736-6E4A3169205D Thrift: Tue Feb 25 14:56:55 2020 Client connected. Thrift: Tue Feb 25 14:56:55 2020 Client connected. Thrift: Tue Feb 25 14:56:55 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109 Thrift: Tue Feb 25 14:56:55 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109 Thrift: Tue Feb 25 14:56:55 2020 TConnectedClient died: TPipe: GetOverlappedResult failed Thrift: Tue Feb 25 14:56:55 2020 TConnectedClient died: TPipe: GetOverlappedResult failed I0225 14:56:56.693370 4764 tls.cpp:253] TLS/HTTPS POST request to URI: https://192.168.1.10:8080/api/v1/osquery/enroll W0225 14:56:56.693370 4764 tls.cpp:100] Cannot read TLS server certificate(s): "c:\Program Files\osquery\kolide.pem" W0225 14:56:57.052332 4764 tls_enroll.cpp:76] Failed enrollment request to https://192.168.1.10:8080/api/v1/osquery/enroll (Request error: certificate verify failed) retrying...
zwass

zwass

02/26/2020, 2:19 AM
It seems pretty clear that osquery can't read the file. You'll need to figure out why that is. Could be permissions. Could be encoding.
t

Tony N

02/26/2020, 10:29 PM
Well I'm at a loss then at this point. I've provided the certificate that's associated with the Fleet server, and the shared secret. I've even copied over the cert. file that works with my Ubuntu 18.04 workstation and still the server won't read the TLS cert file. I'm assuming its the correct format, its a ".pem" file which works in Ubuntu. Just don't understand why it won't work on the Windows box.
d

Display name

03/03/2020, 3:49 PM
Hi Tony -- total shot-in-the-dark, but IIR, I think I had some issues with Windows hosts if I had Windows-style line endings (CRLF) instead of Unix style (LF) in config files. I'm wondering it it's the same for the pem file? It's fully possible I'm mis-remembering or this has changed in an updated version of Osquery, but since you said you used Notepad, I thought I'd mention it.
t

Tony N

03/03/2020, 4:06 PM
Thank you @Display name for the idea. I'll have to go and take a look. I thought that I had directly copied over the PEM file from the server itself, but I've also just copied the certificate info over and pasted it into notepad. For my flag file I ensured that there were no extra spaces for each line which definitely helped, and it seems like osquery is accepting the file, but when it comes to reading the certificate file, it just doesn't like it. I'll keep you posted on my troubleshooting.