So I'm attempting to enroll into a newly built Fleet instance but I keep running into the following error.

Failed enrollment request to <https://fleetserver.com/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying...

I have my Osquery

--tls_server_certs

config flag set to use one of the same TLS certs that NGINX uses for SSL on the server, and Fleet is running without issues... what could I be doing wrong here? The following also pops up as an error.

E0401 23:08:37.819293 31502 init.cpp:593] Cannot activate tls logger plugin: No node key, TLS logging disabled.

Check out https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#how-do-i-fix-certificate-verify-failed-errors-from-osqueryd

Thanks for the reply 👍 I thought that having a working

.cer

and .key set with NGINX automatically mean't that I can use

--tls_server_certs

and point it to the same

.cer

Did you go through the debugging steps? You can still encounter problems such as the full cert chain not being included or the cname not matching.

The first initial issue that I found when going through the troubleshooting docs was the results I got from running curl

* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: <https://curl.haxx.se/docs/sslcerts.html>

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and

Try adding

--cacert /path/to/full/cert/chain

to the

curl

command

Just to circle back an thank you for the guidance @zwass, all my issues did turn out to be not having the full cert chain configured correctly. Got everything fixed and working 🙌