Can I please ask about ‘best practise’ for using TLS for client enrolment.
Looking at the Fleet docs, part of the install is to generate your own self-signed TLS cert, then use that for client auth. But this then requires you to use the -insecure flag on the client to stop it from validating the cert.
It doesn’t sound horrible to spend ~$10 to get a real one (or use letsencypt?) but it does seem less than ideal to re-install clients on expiry.
Should I just not worry about this?
2 weeks ago
reposted in #fleet for you bruhYou don’t have to use the -insecure flag because you package your fleet.pem certificate of your fleet server with osquery and it uses that as the root of trust.Let’s encrypt is not really feasible because it expires every 3 months and if you have agents going offline etc when they come back online maybe the cert is expired! Logistical nightmare.