Title
#kolide
n

Nick

12/05/2018, 6:24 PM
The CA that signed it is a local CA, do I need to include the entire chain?
g

groob

12/05/2018, 6:29 PM
yes
n

Nick

12/05/2018, 6:32 PM
So in the .pem file I specify in the flags file, this should include both the root CA and the fleet cert then, not two seperate files?
6:32 PM
I added it to the certs.pem file but it didnt seem to take, I didnt know if both were used in conjunction
g

groob

12/05/2018, 6:33 PM
you need the root ca and any intermediaries on the client. you need the full chain on the server
6:33 PM
also the hostname must agree
n

Nick

12/05/2018, 6:38 PM
Getting the same error still. The domain root CA is installed on the windows host. The fleet server cert, signed by the domain CA, is specified in the flags file. Hostname agrees (just fleet.domain.com), accessing it on something like chrome from the same workstation returns no errors either.
g

groob

12/05/2018, 6:38 PM
accessing it on chrome means nothing as far as what osquery trusts
6:39 PM
mostly because osquery wont use system roots
6:39 PM
you’re specifying a chain to osquery via a CLI flag. that chain should contain whats necessary for osquery to trust fleet
6:39 PM
does the pem file you provide to osqueryd have the CA? or just the leaf?
n

Nick

12/05/2018, 6:41 PM
It was just the leaf, let me try adding the domain CA certificate to the file.
6:41 PM
I've never had to specify an entire chain in one .pem, anything special or just append?
g

groob

12/05/2018, 6:42 PM
n

Nick

12/05/2018, 6:43 PM
It worked!
6:43 PM
You're a legend mate, thanks.
6:44 PM
I've been banging my head against that for the better part of today, I thought it was using the host's CA store as well.
g

groob

12/05/2018, 6:45 PM
if you don’t pass the flag at all, osqueryd should use the host CA store
6:45 PM
but idk if that’s true on windows, and is a relatively recent addition to osquery. i’m very used to just providing the full chain myself
n

Nick

12/05/2018, 6:45 PM
Thats fair
6:46 PM
Any plans on launcher for windows in the near future? We're rolling out launcher for all of our linux hosts, but we also are supporting a ton of windows as well
g

groob

12/05/2018, 6:52 PM
near future == likely in december. we’re actively working on it
6:52 PM
in fact you can use it in master today. the only missing bit is the MSI which i’m working on today
n

Nick

12/05/2018, 6:58 PM
Oh thats awesome