I'm pulling the error log now.

"component":"http","err":": Authentication required","internal":" authentication error: invalid orbit node key","level":"info","path":"/api/fleet/orbit/config","ts":"2023-01-24T19:58:26.821710023Z"} {"hostID":1,"level":"info","ts":"2023-01-24T19:58:26.964969142Z"} {"component":"http","err":"Requires Fleet Premium license","ip_addr":"&lt;IP&gt;","level":"error","method":"GET","took":"1.46443ms","ts":"2023-01-24T19:58:27.550638717Z","uri":"/api/latest/fleet/device/4c153ef3-64aa-4b21-ae04-0b2e97aad5f0/desktop","x_for_ip_addr":"<IP>"} {"err":"host 1 with empty platform","level":"error","ts":"2023-01-24T19:59:17.468252549Z"} {"err":"host 1 with empty platform","level":"error","ts":"2023-01-24T19:59:18.524011199Z"} {"err":"host 1 with empty platform","level":"error","ts":"2023-01-24T19:59:19.586713516Z"} {"err":"host 1 with empty platform","level":"error","ts":"2023-01-24T19:59:20.644208803Z"} {"err":"host 1 with empty platform","level":"error","ts":"2023-01-24T19:59:21.698893489Z"} {"err":"host 1 with empty platform","level":"error","ts":"2023-01-24T19:59:47.557048459Z"} {"cron":"integrations","level":"info","schedule":"integrations","status":"pending","ts":"2023-01-24T20:00:00.022559417Z"} {"cron":"integrations","level":"info","schedule":"integrations","status":"completed","ts":"2023-01-24T20:00:00.029790451Z"}

I can confirm that IP resolves to the correct DNS entry, so I think we're good there.

No iptables issues, UFW is disabled (Ubuntu) on the server.

On the EC2 instance, we are allowing all 443 outbound, and 443 inbound from the test workstation.

And what are you seeing in the Fleet server logs?

Looks like the same issue on my end, digging in.

Can you show me the latest log in Fleet referencing

/api/fleet/orbit/enroll

?

It looks like requests might not be making it to Fleet. I attempted sending a

curl

request and got no response. Are you using a load balancer, or anything else that might be restricting access?

Let me unblock that and give it another go!

Looks like the connection is being refused now. Is there a configuration in fleet where I need to serve up port 80?

Here's my flags file, if that helps: # Server --tls_hostname=fleetdm.pluralsight.com --tls_server_certs=fleet.pem # Enrollment --host_identifier=instance --enroll_secret_path=/opt/orbit/secret.txt --enroll_tls_endpoint=/api/v1/osquery/enroll # Configuration --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 # Live query --disable_distributed=false --distributed_plugin=tls --distributed_interval=10 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write # Logging --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10 # File carving --disable_carver=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/blocki --carver_block_size=2000000 ~

One sec. verifying that I'm not doing something silly with the endpoint.

Or are you looking at the outgoing port?

Ok so THAT works 🙂

So the enrollment API is accessible.

Good stuff! Now I'm seeing a useful error in the osquery logs:

enroll failed, retrying error="enroll request: POST /api/fleet/orbit/enroll received status 500 no matching secret found: no matching secret found

Any chance that the enroll secret has been changed or removed?

Secret looks like the same as the one I DM'd you previously

Just to recap for posterity, the secret issue was totally on my end and there's still some certificate funkiness going on. Since this is a dev environment, the simplest solution was to take advantage of the

--insecure

flag to get around that until things are flowing properly there.

Nice meeting with you, have fun poking around!