Velo Windows Agent error x509: certificate signed by unknown authority
303 views
Skip to first unread message
Iggy Zofrin
Jul 11, 2022, 8:29:12 PM7/11/22
to velociraptor-discuss
Hi Mike,
I am trying to set up an own ca-signed velociraptor server "veloserver.iggycorp.net" frontend.
Having a problem with windows agent to server certificate trust. I may have missed something along the way and can't figure it out.
This is what I done so far
1. Signed veloserver.crt with Intermediate CA
2. Installed Root CA certificate in Windows Computer certificate store > Trusted Root Authorities
3. Put a server certificate /velociraptor/config/veloserver.crt contains:
client b64
client b64
intermediate b64
3. Changed these in server.config.yaml:
Client:
tls_certificate_filename: /velociraptor/config/veloserver.crt
tls_private_key_filename: /velociraptor/config/veloserver.key
dns_name: veloserver.iggycorp.net
tls_private_key_filename: /velociraptor/config/veloserver.key
dns_name: veloserver.iggycorp.net
4. Changed these in client.config.yaml:
Debug from windows client shows:
Velociraptor.exe --config client.config.yaml client -v
This is Velociraptor 0.6.5 built on 2022-06-22T16:57:49+10:00 (5772dc32)
Loading config from file Enrichment.client.config
Loading writeback from C:\Program Files\Enrichment\Enrichment.writeback.yaml
Starting Crypto for client C.0d50b22aab8cf13a
Starting Journal service.
Starting nanny with MaxConnectionDelay 10m0s and MaxMemoryHardLimit 0
Loaded 333 built in artifacts in 133.4324ms
Ring Buffer: Creation {"filename":"C:\\Users\\Iggy\\AppData\\Local\\Temp/Velociraptor_Buffer.bin","max_size":1073741874}
Starting the notification service.
Starting HTTPCommunicator: HTTP Connector to [https://veloserver.iggycorp.net:8000/]
Installing Dummy inventory_service. Will download tools to temp directory.
Starting event query service with version 0.
Starting event query service with version 0.
While getting https://veloserver.iggycorp.net:8000/: Get "https://veloserver.iggycorp.net:8000/server.pem": x509: certificate signed by unknown authority
Loading config from file Enrichment.client.config
Loading writeback from C:\Program Files\Enrichment\Enrichment.writeback.yaml
Starting Crypto for client C.0d50b22aab8cf13a
Starting Journal service.
Starting nanny with MaxConnectionDelay 10m0s and MaxMemoryHardLimit 0
Loaded 333 built in artifacts in 133.4324ms
Ring Buffer: Creation {"filename":"C:\\Users\\Iggy\\AppData\\Local\\Temp/Velociraptor_Buffer.bin","max_size":1073741874}
Starting the notification service.
Starting HTTPCommunicator: HTTP Connector to [https://veloserver.iggycorp.net:8000/]
Installing Dummy inventory_service. Will download tools to temp directory.
Starting event query service with version 0.
Starting event query service with version 0.
While getting https://veloserver.iggycorp.net:8000/: Get "https://veloserver.iggycorp.net:8000/server.pem": x509: certificate signed by unknown authority
I can confirm chrome.exe from windows computer loads https://veloserver.iggycorp.net:8000/
Iggy Zofrin
Jul 11, 2022, 9:57:09 PM7/11/22
to velociraptor-discuss
Having said that, I am not 100% sure if Velociraptor supports all root
certificate authorities installed in Trusted Root Certificate authorities keystore on Windows or just a list of public global root certificate authorities
Iggy Zofrin
Jul 17, 2022, 6:48:25 PM7/17/22
to velociraptor-discuss
all good never mind
i did not read the release notes about embedded root certs, it works now
Client:
Crypto:
root_certs: |
-----BEGIN CERTIFICATE-----
Reply all
Reply to author
Forward
0 new messages