Title
#kolide
f

Flngen Flugen

06/11/2019, 12:18 AM
I have fleet deployed on Rancher 2.x. I modified the ingress from Layer4 loadbalancer to Layer 7. I can access Fleet on port 443. The ingress appears to be working correctly when accessing the web ui, however I am not able to register any Osquery agents. Using a CA signed server cert for Fleet. I receive a certificate verification failure message. I've read other posts where the LoadBalancer needs to support GRPC. Are there any specific ingress annotation that needs to be used at the ingress?
zwass

zwass

06/11/2019, 12:19 AM
Have you tried passing the cert to osquery explicitly?
f

Flngen Flugen

06/11/2019, 12:29 AM
Yes, I've specified its path in a flag file
zwass

zwass

06/11/2019, 12:38 AM
f

Flngen Flugen

06/11/2019, 4:25 AM
1) I've specified the --tls_server_certs path 2) The cert CN matches the TLS endpoint FQDN 3) Fleet is behind a Layer 7 load balancer (nginx ingress on rancher) and the ingress is configured with that cert, which is provided to Osquery. 4) The certificate does verify with curl and openssl s_client . One possible wrinkle. Rancher by default doesn't have SSL passthrough enabled. Does Kolide need it? Also, have added ingress annotation: nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
4:40 AM
@zwass , are you asking whether I'm passing a cert + the ca intermediate chain? I tried that and received a format error. But as I write this I realize it was a p7b format and Kolide needs a PEM format. I'll retry and report back
zwass

zwass

06/11/2019, 4:06 PM
Try that. The error is from osquery and not Fleet. Osquery can be a bit finicky about the certs.
f

Flngen Flugen

06/11/2019, 10:10 PM
Update: using a PEM formatted CA signed kolide server cert that includes the CA bundle (intermediate CA certs) fixed the osquery enrollment issue.