https://github.com/osquery/osquery logo
Join Slack
Powered by
Cannot seem to get my Windows client to enroll int...
# kolide
f
Cannot seem to get my Windows client to enroll into Fleet, I can access the Fleet login GUI page from my windows box, so firewall should not be an issue. Yet every time I try to check enrollment, I receive Cannot Read TLS Server certificate
Here is the error
Here is my flags file
Also this is lab environment so security not really an issue can I add the enroll Secret directly into the osflags file instead of pointing it at the text file??
Disregard just noticed that the file patch in the flags file, has different directory then what is on disk, likely the issue.
j
What’s the cert you pinned on fleet server? I ran into the same thing resolved it by using the full chain of cert on client and server+ca cert on fleet
z
@fbone You have two issues. One is that the enroll secret is empty and the other is that osquery can't read your TLS cert chain. Probably both are caused by incorrect paths and/or permissions.
f
ok so the actual enroll secret should show up when it POST correct?
thats what i figured but was not sure
z
Yes if you have 
--tls_dump
on which it looks like you do then osquery will show what it is actually sending. If that is an empty string it means osquery is unable to read it.
Or that the file is actually empty.
f
super odd ill post the file one se
very odd
j
Same thing here...
Copy code
tls_dump
doesn’t really tell us what secret is sending, just telling us it’s invalid enroll secret
s
I don’t know if it matters. but you’re initial screenshot was 
osqueryi
.
4 Views
Open in Slack
PreviousNext
Powered by