Channels
- s
Sujit Jagdev
2 years agoNeed some noobie help. I0412 14:08:38.742949 11449 tls.cpp:253] TLS/HTTPS POST request to URI: https://localhost:8080/api/v1/osquery/enroll W0412 14:08:38.750748 11449 tls_enroll.cpp:76] Failed enrollment request to https://localhost:8080/api/v1/osquery/enroll (Request error: certificate verify failed) retrying... Any advice? 
SK
2 years agoYou will need to put the whole cert chain in the cert file for the OSQuery agent.- x
xiaoliuzi
2 years agoI am a newbie, how to put the whole cert chain in the cert file for the OSQuery agent. SK
2 years ago@xiaoliuziDid you fix it already? Just saw your message.- x
xiaoliuzi
2 years agono no no ,I do not fix it. What method do you have? SK
2 years agoYou will need to put the whole cert chain in the cert file for the osquery agent to work- x
xiaoliuzi
2 years agoThe server.pem and enroll_secret?
I use this.
sudo osqueryd \ --enroll_secret_path=/var/osquery/enroll_secret \ --tls_server_certs=/var/osquery/server.pem \ --tls_hostname=192.168.10.101:8080 \ --host_identifier=192.168.10.103 \ --enroll_tls_endpoint=/api/v1/osquery/enroll \ --config_plugin=tls \ --config_tls_endpoint=/api/v1/osquery/config \ --config_refresh=10 \ --disable_distributed=false \ --distributed_plugin=tls \ --distributed_interval=10 \ --distributed_tls_max_attempts=3 \ --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \ --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \ --logger_plugin=tls \ --logger_tls_endpoint=/api/v1/osquery/log \ --logger_tls_period=10 SK
2 years agoIn the pem you will need to add also the root ca- x
xiaoliuzi
2 years agoShould I copy the root ca to pem? SK
2 years agoyes and all intermediate for the kolide server, the osquery agent needs the whole chain to be able to authenticate- x
xiaoliuzi
2 years agoThe kolide server and osquery are on the same LAN. Are there any intermediate products? SK
2 years agoWith intermediate I mean possible intermediate CAs in your cert-chain, so root CA and all intermediate CAs and than kolide cert- x
xiaoliuzi
2 years agoE0416 23: 11: <tel:194864386129|19.486438 6129 init.cpp: 509] Cannot activate tls logger plugin: No node key, TLS logging disabled. Why is this? SK
2 years ago--host_identifier should be the value 'uuid' or 'hostname' not an IP address, or remove the whole line it will default to hostname, maybe this helps your issue.
And probably --tls_hostname should be the systemname used to create the cert- x
xiaoliuzi
2 years agothanks, I have fixed this problem。 - s
Shantanu
1 year agoI am facing a similar problem. Where can I find the root ca? SK
1 year agoHey @Shantanu root CA should be available when you navigate to Kolide webpage.- s
Shantanu
1 year agoDo you mean the kolide server webpage or the kolide website? SK
1 year agoYour kolide server webpage, you should be able to download the cert chain from there.- s
Shantanu
1 year agoIs it the same in case of self signed certs? I am able to add ubuntu hosts to fleet using the pem file I get from the kolide server when I click on add new hosts. This error pops up only while adding windows host using the same pem file. SK
1 year ago@Shantanu not sure about that. If it works for Ubuntu it should work for Windows I guess. Check in the #windows channel if anyone else has experienced this.
View count: 1