The CA that signed it is a local CA do I need to include the

Question

The CA that signed it is a local CA do I need to include the entire chain

groob · Answer

yes

Nick · Answer

So in the pem file I specify in the flags file this should include both the root CA and the fleet cert then not two seperate files

Nick · Answer

I added it to the certs pem file but it didnt seem to take I didnt know if both were used in conjunction

groob · Answer

you need the root ca and any intermediaries on the client you need the full chain on the server

groob · Answer

also the hostname must agree

Nick · Answer

Getting the same error still The domain root CA is installed on the windows host The fleet server cert signed by the domain CA is specified in the flags file Hostname agrees just <http fleet domain com|fleet domain com> accessing it on something like chrome from the same workstation returns no errors either

groob · Answer

accessing it on chrome means nothing as far as what osquery trusts

groob · Answer

mostly because osquery wont use system roots

groob · Answer

you re specifying a chain to osquery via a CLI flag that chain should contain whats necessary for osquery to trust fleet

groob · Answer

does the pem file you provide to osqueryd have the CA or just the leaf

Nick · Answer

It was just the leaf let me try adding the domain CA certificate to the file

Nick · Answer

I ve never had to specify an entire chain in one pem anything special or just append

groob · Answer

this always works <https www digicert com ssl support pem ssl creation htm>

Nick · Answer

It worked

Nick · Answer

You re a legend mate thanks

Nick · Answer

I ve been banging my head against that for the better part of today I thought it was using the host s CA store as well

groob · Answer

if you don t pass the flag at all osqueryd should use the host CA store

groob · Answer

but idk if that s true on windows and is a relatively recent addition to osquery i m very used to just providing the full chain myself

Nick · Answer

Thats fair

Nick · Answer

Any plans on launcher for windows in the near future We re rolling out launcher for all of our linux hosts but we also are supporting a ton of windows as well

groob · Answer

near future == likely in december we re actively working on it

groob · Answer

in fact you can use it in master today the only missing bit is the MSI which i m working on today

Nick · Answer

Oh thats awesome