Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mike S.
02/07/2023, 7:50 PMHi all - per my discussion with @roberto, I'm moving this convo back into the fleet channel for visibility. The issue is related to the error "Request error: certificate verify failed" - I'll put the details in the replies so it doesn't have a wall of text in here. 🙂
k
Kathy Satterlee
02/07/2023, 7:52 PMThanks @Mike S. !
m
Mike S.
02/07/2023, 8:26 PMSo the main issue is that when I attempt to enroll a client to the Fleet server, I get "Request error: certificate verify failed".
Using the --insecure flag works when enrolling, but for production we wouldn't want to use that method of enrollment.
Originally I was attempting to join a MacOS system to Fleet, and for an unknown reason it just started working after several weeks of this error occurring. The only change I'm aware of is an upgrade to Fleet as of a few days ago.
However, when I moved onto a fresh install of Ubuntu to attempt an enrollment, the same issue occurs, so I think the upgrade can be ruled out as a resolution. These troubleshooting steps have been tried:
• Verified that the certificate on the server and the certificate on the client are the same by checking the SHA256 hash. Both certs are in PEM format.
• Verified that the server hostname matches the SAN in the certificate.
• Ensured that the common name set in the TLS cert matches the FQDN of the server my flags file:
--tls_hostname=• Verified date/time was correct on server and client.
• openssl s_client -connect <fqdn>:443 -showcerts - No errors found in the connection attempt. Root, intermediate and entity cert found in connection.
One question - Does it matter how the cert is generated in the enrollment process?
I got this note from my cert admin when discussing potentially regenerating the certificate:
I was incorrect, Digicert stores the
server platformSo after writing all this, it looks like the Fleet package is working properly, so that's awesome! Hopefully the troubleshooting steps I put up there will be helpful for others!
Part of the reason the current Ubuntu join isn't working is that I'm attempting to join the host in a different way than using the Fleet package. I'm attempting to test the use case of the user already having osquery installed, and I'm using osqueryd to perform the join. So I'm assuming there's an issue with the flags I am using. Sorry for all the updates, I'll try to quiet down now. 🙂
k
Kathy Satterlee
02/07/2023, 9:44 PMThanks for all of the detailed information, This will absolutely help someone else down the road!! You're more than welcome to share your flagfile for the plain osquery setup if you'd like a hand troubleshooting that as well.
a
Adam Connor
02/07/2023, 10:08 PMMike this isn’t 100% relevant, but I found that the best way to handle this was to have Fleet using a ‘real’ certificate, then to delete the roots.pem and config references to the cert in the client.
This makes the client use it’s own trust chain, so if your computer trusts the cert, it will ‘just work’.