Cannot seem to get my Windows client to enroll into Fleet I

Question

Cannot seem to get my Windows client to enroll into Fleet I can access the Fleet login GUI page from my windows box so firewall should not be an issue Yet every time I try to check enrollment I receive Cannot Read TLS Server certificate

fbone · Answer

Here is the error

fbone · Answer

Here is my flags file

fbone · Answer

Also this is lab environment so security not really an issue can I add the enroll Secret directly into the osflags file instead of pointing it at the text file

fbone · Answer

Disregard just noticed that the file patch in the flags file has different directory then what is on disk likely the issue

jackjack · Answer

What s the cert you pinned on fleet server I ran into the same thing resolved it by using the full chain of cert on client and server+ca cert on fleet

zwass · Answer

< fbone> You have two issues One is that the enroll secret is empty and the other is that osquery can t read your TLS cert chain Probably both are caused by incorrect paths and or permissions

fbone · Answer

ok so the actual enroll secret should show up when it POST correct

fbone · Answer

thats what i figured but was not sure

zwass · Answer

Yes if you have ` tls dump` on which it looks like you do then osquery will show what it is actually sending If that is an empty string it means osquery is unable to read it

zwass · Answer

Or that the file is actually empty

fbone · Answer

super odd ill post the file one se

fbone · Answer

very odd

jackjack · Answer

Same thing here ```tls dump``` doesn t really tell us what secret is sending just telling us it s invalid enroll secret

seph · Answer

I don t know if it matters but you re initial screenshot was `osqueryi`