I actually used valid LetsEncrypt and still had to specify the entire chain. I guess intermediate CAs break it?

On which platform? Normally you should not have to specify the cert manually if you use a valid LetsEncrypt cert.

Windows, was a while ago so can’t rerpo unfortunately

Ah I think that issue may have been resolved in osquery within the last year or so. Could be fixed.

Just a follow-up. Latest version of both osquery & Fleet and I still have to specify the entire LetsEncrypt chain.

Yes -- on Windows osquery still does not use the system trusted certs. A default osquery install includes a cert bundle that can be used and I think would work with LetsEncrypt.

default Windows osquery install (4.1.1) and I don't see the cert bundle anywhere - there is a

certs

folder but nothing in it.

Ah, I'll file an issue on that.