search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.92k stars 406 forks source link

Cant turn on Windows MDM. Please configure Fleet with a certificate and key pair first. #19821

Closed Stefan2142 closed 2 months ago

Stefan2142 commented 2 months ago

Fleet version:4.51.1

Web browser and operating system: Chrome 125.0.6422.176 running on macOS Sonoma

💥  Actual behavior

Like the title says, when I try to enable the MDM i get the error: Please configure FLeet with a certificate and key pair first. I have generated the certificate and the key using this guide. My fleet is set up on Ubuntu digital ocean droplet using the recently made Ubuntu guide for setting up Fleet. I know that in the guide it says to use Certibot and LetsEncrypt, but since I dont have domain I have created the certificates like in the windows-mdm-setup guide using openssl...

Fleet works in general but I just cant turn on MDM for windows devices. I have also managed to create .msi file although I had to pass "--insecure" flag in the fleetctl command because using --debug I found out that when the agent is installed on the host, it wouldnt work at all.

Here is also my current fleet.config file:

mysql:
  address: 127.0.0.1:3306
  database: fleet
  username: fleet
  password: FleetDMPW!
redis:
  address: 127.0.0.1:6379
server:
  address: 0.0.0.0:4443
  cert: /root/workspace/fleet-mdm-win-wstep.crt
  key: /root/workspace/fleet-mdm-win-wstep.key
  websockets_allow_unsafe_origin: true # This is needed for Live Query functionality to work with the nginx reverse proxy we are using
  mdm:
  windows_enabled_and_configured: true

(i have double checked that the paths to those files exist)

I have also tried with chatGPT to generate the certificate and the key and he used the command (where instead of YOUR_IP_ADDRESS, i put in my webserver ip): sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/fleet-selfsigned.key -out /etc/ssl/certs/fleet-selfsigned.crt -subj "/CN=YOUR_IP_ADDRESS"

which also didnt allow me to enable mdm..

I have also compare the md5 has between the .key and the .crt and they match.

I have also tried exporting the .key and .crt contents into environmental variables FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT/KEY_BYTES but that didnt work also..

[New server environment] I have even bought a domain on name cheap and bound it to my new server (waited for the dns propagation to become green). Followed again the Ubuntu guide, this time I have created a certificate with certbot. Again, Fleet works but I still get that message…fleet is on https://19932142.xyz:4443

Here is fleet.config of that new server:
mysql:
  address: 127.0.0.1:3306
  database: fleet
  username: fleet
  password: FleetPW!
redis:
  address: 127.0.0.1:6379
server:
  address: 0.0.0.0:4443
  cert: /etc/letsencrypt/live/19932142.xyz/fullchain.pem
  key: /etc/letsencrypt/live/19932142.xyz/privkey.pem
  websockets_allow_unsafe_origin: true # This is needed for Live Query functionality to work with the nginx reverse proxy we are using

What can I try more here?

lucasmrod commented 2 months ago

Hi @Stefan2142!

I have also tried exporting the .key and .crt contents into environmental variables FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT/KEY_BYTES but that didnt work also..

This should work. On my local setup I use the following:

I generate a random private key (run just once), example:

openssl rand -base64 32
7RU+fLBOpK+/CzWh3Wno+nBGfOm00o+0rvAN0dhSLyw=

Following is the server yml:

server:
  # WARNING: just an example, you must generate one yourself and keep it private:
  private_key: 7RU+fLBOpK+/CzWh3Wno+nBGfOm00o+0rvAN0dhSLyw=
mdm:
  windows_wstep_identity_cert_bytes: <contents of your fleet-mdm-win-wstep.crt file>
  windows_wstep_identity_key_bytes: <contents of your fleet-mdm-win-wstep.key file>

Let me know if this helps with the "Please configure Fleet with a certificate and key pair first" error.

PS: We will be updating the docs with the new requirements soon.

georgekarrv commented 2 months ago

Please let us know if there are any other issues. I will close this ticket but feel free to re-open if the issue is still present.

fleet-release commented 2 months ago

Windows MDM turned on, Keys open skies of secure, Fleet flies, tasks are done.

darkness-96 commented 1 month ago

Same problem here : Please configure Fleet with a certificate and key pair first on journalctl. Cert and key have been provided to the env filed. I also checked if the envionnement variables are loaded correctly and validate with openssl. All seems to be okay but I'm not able to turn on MDM.

ScionOfDesign commented 1 month ago

I initially had issues, but all I needed to do was set the two environment variables mentioned above: FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES and FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES To a valid RSA certificate and key. (The key starts with -----BEGIN RSA PRIVATE KEY-----)

Now it works.

darkness-96 commented 1 month ago

Thanks for your help.

I'm using PATH to set the two environnement variables.

As it's mentioned in the docs, using path into variables need to delete "_BYTES".

If I do that, fleet.service doesn't start. The only way to start is to replace "_BYTES" by "_PATH".

Even if fleet.service is started, I always have : Please configure Fleet with a certificate and key pair first on journalctl

darkness-96 commented 1 month ago

I think there is bug on fleet GUI. MDM is up on windows and fleet see it on MDM status (refer to screenshot) despite the message : "Couldn't turn on Windows MDM. Please configure Fleet with a certificate and key pair first." when I try to turn on MDM on the settings. Capture d’écran 2024-07-25 141744

Otherwise, I can't turn on MDM for mac because it's impossible to generate CSR if fleet doesn't see certificate.