Hi team how do I determine what certificate is provided to a osquery #fleet

Hi team - how do I determine what certificate is p...

Mike S.

02/01/2023, 5:10 PM

Hi team - how do I determine what certificate is provided to a client when enrolling to my FleetDM server? When downloading the certificate from FleetDM, it is a different certificate than what I have in my fleet.config file, and while both are valid, I think it is causing an issue in the enrollment process.

Mike S.

02/01/2023, 8:16 PM

I think I've got this sorted out, sorry for the trouble! However I am still having issues with the certificate verification during the enrollment process. I'm putting together some details.

Mike S.

02/01/2023, 8:22 PM

(Request error: certificate verify failed) error. I've done the following troubleshooting: • Verified that the certificate on the server and the certificate on the client are the same by checking the SHA256 hash. Both certs are in PEM format. • Verified that the server hostname matches the SAN in the certificate. • Ensured that the common name set in the TLS cert matches the FQDN of the server my flags file:

--tls_hostname=

• Verified that the osquery.flags file on the client has the --tls_server_certs flag set and that the path to the cert is correct. • Verified that the cert itself is valid - I am able to access our web GUI without any certificate error being issued. • Downloaded certificate from server (using Advanced option under Add Hosts) and used that in the enrollment process. No change. Sorry for the long post, just running out of ideas!

Mike S.

02/01/2023, 8:25 PM

Here's the flags file, if that helps. --tls_hostname=<FQDN removed> --tls_server_certs=/opt/orbit/fleet.pem # Enrollment --host_identifier=instance --enroll_secret_path=/opt/orbit/secret.txt --enroll_tls_endpoint=/api/v1/osquery/enroll # Configuration --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 # Live query --disable_distributed=false --distributed_plugin=tls --distributed_interval=10 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write # Logging --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10 # File carving --disable_carver=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/blocki --carver_block_size=2000000

roberto

02/01/2023, 8:29 PM

thanks so much for the details! do you have access/can share some of the logs? here's where to find them also, can you share more details about how the enrollment process is failing? that might also gives us a thread to pull

Mike S.

02/01/2023, 8:37 PM

Thanks for your help! So the enrollment process is failing in that the enrollment only partially completes, for lack of a better explanation. We see the host join Fleet in the GUI, but there's no name, no OS, no identifying data. It shows that it is online for around 1 minute and then goes offline.

Kathy Satterlee

02/02/2023, 5:52 PM

@Mike S. Can you generate a package with the

--debug

flag included? That should give a more detailed error message.

Kathy Satterlee

02/02/2023, 7:59 PM

Thanks! I'll be stepping away for the day due to internet issues (annual Texas winter weather event strikes again!) and am sharing that with the team.

Mike S.

02/02/2023, 8:00 PM

No problem, I appreciate all your team has done to help! Stay safe out there!

3 Views

Open in Slack

Previous Next