Should roots.pem certificate match web UI certificate?

[flyingdan]

I recently ran into the the following issue:

After updating the certificate on the web interface with a properly signed one (not a self-signed one but one from Let's Encrypt in this case) the osquery clients lost connectivity to FleetDM. Checking client syslogs on a Linux host, the error was:

launcher[1060]: {"caller":"extension.go:494","err":"sending status logs: writing logs: transport error sending logs: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate signed by unknown authority\"","severity":"info","ts":"2021-12-22T05:08:11.827264388Z"}

I "Completely Uninstall(ed)" the launcher-final package, made sure the /etc/so-launcher directory on the client was removed as well, and re-downloaded the installation package from the Manager. After installing it, the package's version increased but the error above persisted. I was able to make the error go away and re-connect the client to FleetDM by replacing /etc/so-launcher/roots.pem with the web UI certificate I was using. I had to perform similar steps on Windows hosts.

It seems like the cert file delivered with osquery packages should be the same as the Web UI cert. Is this expected behavior and if so, any thoughts on why it's not being added to the packages even after regenerating them?

[flyingdan]

Looks like in

securityonion/salt/reactor/fleet.sls

Line 69 in afed0b7

"--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{ IMAGEREPO }/so-fleet-launcher:{ VERSION }", \

the certificate referenced when building the packages is /etc/ssl/certs/intca.crt.

[defensivedepth]

Thanks @flyingdan for posting this amount of detail. We will look into this further based on the information you provided.

[Stephen-Ridgway]

We are also seeing this problem. Is there an update?

[3isenHeiM]

I am in the exact same situation as I setup a WebUI certificate (signed by the corporate rootCA) and now I see the exect same messages in the logs as well.

[ihuxn4hi]

Have either of you figured this out? I'm running into the same issue.

Thanks!