Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
n
Nick
12/05/2018, 6:24 PMThe CA that signed it is a local CA, do I need to include the entire chain?
g
groob
12/05/2018, 6:29 PMyes
n
Nick
12/05/2018, 6:32 PMSo in the .pem file I specify in the flags file, this should include both the root CA and the fleet cert then, not two seperate files?
I added it to the certs.pem file but it didnt seem to take, I didnt know if both were used in conjunction
g
groob
12/05/2018, 6:33 PMyou need the root ca and any intermediaries on the client. you need the full chain on the server
also the hostname must agree
n
Nick
12/05/2018, 6:38 PMGetting the same error still. The domain root CA is installed on the windows host. The fleet server cert, signed by the domain CA, is specified in the flags file.
Hostname agrees (just fleet.domain.com), accessing it on something like chrome from the same workstation returns no errors either.
g
groob
12/05/2018, 6:38 PMaccessing it on chrome means nothing as far as what osquery trusts
mostly because osquery wont use system roots
you’re specifying a chain to osquery via a CLI flag. that chain should contain whats necessary for osquery to trust fleet
does the pem file you provide to osqueryd have the CA? or just the leaf?
n
Nick
12/05/2018, 6:41 PMIt was just the leaf, let me try adding the domain CA certificate to the file.
I've never had to specify an entire chain in one .pem, anything special or just append?
g
groob
12/05/2018, 6:42 PMthis always works https://www.digicert.com/ssl-support/pem-ssl-creation.htm
n
Nick
12/05/2018, 6:43 PMIt worked!
You're a legend mate, thanks.
I've been banging my head against that for the better part of today, I thought it was using the host's CA store as well.
g
groob
12/05/2018, 6:45 PMif you don’t pass the flag at all, osqueryd should use the host CA store
but idk if that’s true on windows, and is a relatively recent addition to osquery. i’m very used to just providing the full chain myself
n
Nick
12/05/2018, 6:45 PMThats fair
Any plans on launcher for windows in the near future? We're rolling out launcher for all of our linux hosts, but we also are supporting a ton of windows as well
g
groob
12/05/2018, 6:52 PMnear future == likely in december. we’re actively working on it
in fact you can use it in master today. the only missing bit is the MSI which i’m working on today
n
Nick
12/05/2018, 6:58 PMOh thats awesome