Title
#kolide
f

fbone

02/04/2020, 8:22 PM
Cannot seem to get my Windows client to enroll into Fleet, I can access the Fleet login GUI page from my windows box, so firewall should not be an issue. Yet every time I try to check enrollment, I receive Cannot Read TLS Server certificate
8:22 PM
Here is the error
8:23 PM
Here is my flags file
8:26 PM
Also this is lab environment so security not really an issue can I add the enroll Secret directly into the osflags file instead of pointing it at the text file??
8:31 PM
Disregard just noticed that the file patch in the flags file, has different directory then what is on disk, likely the issue.
j

jackjack

02/04/2020, 9:06 PM
What’s the cert you pinned on fleet server? I ran into the same thing resolved it by using the full chain of cert on client and server+ca cert on fleet
zwass

zwass

02/04/2020, 9:09 PM
@fbone You have two issues. One is that the enroll secret is empty and the other is that osquery can't read your TLS cert chain. Probably both are caused by incorrect paths and/or permissions.
f

fbone

02/04/2020, 9:10 PM
ok so the actual enroll secret should show up when it POST correct?
9:10 PM
thats what i figured but was not sure
zwass

zwass

02/04/2020, 9:11 PM
Yes if you have
--tls_dump
on which it looks like you do then osquery will show what it is actually sending. If that is an empty string it means osquery is unable to read it.
9:11 PM
Or that the file is actually empty.
f

fbone

02/04/2020, 9:11 PM
super odd ill post the file one se
9:12 PM
9:12 PM
very odd
j

jackjack

02/04/2020, 9:23 PM
Same thing here...
tls_dump
doesn’t really tell us what secret is sending, just telling us it’s invalid enroll secret
s

seph

02/04/2020, 9:29 PM
I don’t know if it matters. but you’re initial screenshot was
osqueryi
.