Regenerate x509 certs for fleet on IP change

[0xv1n]

Looking for some guidance here. I've run IP update, as I recently moved my SO deployment to a new subnet. Everything is working great with the exception of my fleet.

I'm seeing the following error in Windows Application logging:

caller=log.go:124 ts=2022-04-10T22:50:27.4897689Z caller=teelogger.go:25 level=info caller=updater.go:112 msg="updater interrupted" err="enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate is valid for 192.168.1.13, not 192.168.51.2\""

Runnin sudo cat /opt/so/saltstack/local/salt/fleet/packages/launcher.flags returns:

enroll_secret_path /etc/so-launcher/secret
hostname 192.168.51.2:8090
root_directory /var/so-launcher/securityonion
osqueryd_path /usr/local/so-launcher/bin/osqueryd
root_pem /etc/so-launcher/roots.pem
autoupdate
update_channel stable

x@seconion:~$ sudo salt-call pillar.get global
local:
----------
airgap:
False
dockernet:
172.17.0.0
fleet_custom_hostname:
192.168.51.2
fleet_hostname:
seconion
fleet_ip:
192.168.51.2
fleet_manager:
True

At a loss here, everything config-wise seems like it should be using "192.168.51.2", but for some reason the Windows Agent (even after rebuilding the agents with the new IP) seem to still use an old cert. Is there a way to manually regenerate the fleet cert to use the new IP? As a follow-up, what is the correct way to remove a custom hostname for fleet? I just am now seeing at somepoint I may have run a command to set a custom hostname that's actually the IP of the manager node.

Steps I've taken

• Delete existing fleet keys in /etc/pki
• run highstate to regen keys
• rebuilt agent, still attempting to use old IP

[defensivedepth]

Is this a Standalone? ISO or Network install?

I'm assuming 1.13 is the old IP?

On the Manager, try the following:

sudo rm -f /etc/pki/managerssl.crt
sudo salt-call state.apply ssl,nginx

[0xv1n]

Don't know if the context helps triage this but I noticed the roots.pem that gets thrown into C:\Program Files\Kolide\Launcher-so-launcher\conf after running the MSI is using an older signing date that doesn't match the newly generated managerssl.crt

Also ran sha256sum on everything in /etc/pki and it looks like the roots.pem that is dropped from the MSI matches the sha256 hash for ca.crt not managerssl.crt. Can I regenerate ca.crt the same way as above? Don't wanna brick my installation.

[defensivedepth]

@n0leptr Let's bounce the nginx container before trying anything else:

so-nginx-restart --force

[0xv1n]

@defensivedepth Host shows up in FleetDM now! Will update in an hour after everything runs for the first time, but for now the hosts look like they're checking in. Thanks for the assist here!

[defensivedepth]

Ok great!

[amorphys]

I have similar problem for me is regarding the ssl cert for web ui i changed everything was ok until i discovered that fleet agents does not comunicate anymore with server they appear offline
i investigate and appear that cert is not signed anyomore by trust "authentication handshake failed: x509: certificate signed by unknown authority"" took=0s"
Can you explain me what you did here :" Ran commands on manager, parsed out x509 cert and verified:
subjectAltName :
dns:seconion,ip:192.168.51.2,dns:192.168.51.2"