I have fleet deployed on Rancher 2.x. I modified the ingress from Layer4 loadbalancer to Layer 7. I can access Fleet on port 443. The ingress appears to be working correctly when accessing the web ui, however I am not able to register any Osquery agents. Using a CA signed server cert for Fleet. I receive a certificate verification failure message. I've read other posts where the LoadBalancer needs to support GRPC. Are there any specific ingress annotation that needs to be used at the ingress?

Have you tried passing the cert to osquery explicitly?

Yes, I've specified its path in a flag file

Have you tried the steps in https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#how-do-i-fix-certificate-verify-failed-errors-from-osqueryd. In particular, are you passing the full cert chain?

1) I've specified the --tls_server_certs path 2) The cert CN matches the TLS endpoint FQDN 3) Fleet is behind a Layer 7 load balancer (nginx ingress on rancher) and the ingress is configured with that cert, which is provided to Osquery. 4) The certificate does verify with curl and openssl s_client . One possible wrinkle. Rancher by default doesn't have SSL passthrough enabled. Does Kolide need it? Also, have added ingress annotation: nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

Try that. The error is from osquery and not Fleet. Osquery can be a bit finicky about the certs.

Update: using a PEM formatted CA signed kolide server cert that includes the CA bundle (intermediate CA certs) fixed the osquery enrollment issue.