Title
#kolide
r

Ronnie

04/02/2019, 1:23 AM
So I'm attempting to enroll into a newly built Fleet instance but I keep running into the following error.
Failed enrollment request to <https://fleetserver.com/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying...
I have my Osquery
--tls_server_certs
config flag set to use one of the same TLS certs that NGINX uses for SSL on the server, and Fleet is running without issues... what could I be doing wrong here? The following also pops up as an error.
E0401 23:08:37.819293 31502 init.cpp:593] Cannot activate tls logger plugin: No node key, TLS logging disabled.
r

Ronnie

04/02/2019, 1:43 AM
Thanks for the reply 👍 I thought that having a working
.cer
and .key set with NGINX automatically mean't that I can use
--tls_server_certs
and point it to the same
.cer
zwass

zwass

04/02/2019, 1:44 AM
Did you go through the debugging steps? You can still encounter problems such as the full cert chain not being included or the cname not matching.
r

Ronnie

04/02/2019, 1:48 AM
The first initial issue that I found when going through the troubleshooting docs was the results I got from running curl
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: <https://curl.haxx.se/docs/sslcerts.html>

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
zwass

zwass

04/02/2019, 1:54 AM
Try adding
--cacert /path/to/full/cert/chain
to the
curl
command
r

Ronnie

04/06/2019, 1:47 AM
Just to circle back an thank you for the guidance @zwass, all my issues did turn out to be not having the full cert chain configured correctly. Got everything fixed and working 🙌