Struggling with front-end certificate issues by Microsoft PKI
86 views
Skip to first unread message
Paul Siess
Apr 3, 2024, 9:58:22 AM4/3/24
to velociraptor-discuss
I have been using Let's Encrypt for SSL communications with the front-end. I want to switch that to use a certificate issued by our internal CA. Velociraptor is running on Windows Server 2022.
When I leave in use_self_signed_SSL: false, I get a different error:
Here's the Frontend section of server.config.yaml
Frontend:
hostname: velo.##########.com
dns_name: velo.##########.com
#use_self_signed_SSL: false
bind_address: 0.0.0.0
bind_port: 443
tls_certificate_filename: C:\data\velo.##########.com.pem
tls_private_key_filename: C:\data\velo.##########.com.key
default_client_monitoring_artifacts:
- Generic.Client.Stats
GRPC_pool_max_size: 100
GRPC_pool_max_wait: 60
resources:
connections_per_second: 100
notifications_per_second: 30
max_upload_size: 10485760
expected_clients: 30000
Datastore:
implementation: FileBaseDataStore
location: d:\########\VR-Data
filestore_directory: d:\########\VR-Data
Logging:
output_directory: d:\########\VR-Data/logs
separate_logs_per_component: true
debug:
disabled: true
info:
rotation_time: 604800
max_age: 31536000
error:
rotation_time: 604800
max_age: 31536000
autocert_cert_cache: d:\########\VR-Data
hostname: velo.##########.com
dns_name: velo.##########.com
#use_self_signed_SSL: false
bind_address: 0.0.0.0
bind_port: 443
tls_certificate_filename: C:\data\velo.##########.com.pem
tls_private_key_filename: C:\data\velo.##########.com.key
default_client_monitoring_artifacts:
- Generic.Client.Stats
GRPC_pool_max_size: 100
GRPC_pool_max_wait: 60
resources:
connections_per_second: 100
notifications_per_second: 30
max_upload_size: 10485760
expected_clients: 30000
Datastore:
implementation: FileBaseDataStore
location: d:\########\VR-Data
filestore_directory: d:\########\VR-Data
Logging:
output_directory: d:\########\VR-Data/logs
separate_logs_per_component: true
debug:
disabled: true
info:
rotation_time: 604800
max_age: 31536000
error:
rotation_time: 604800
max_age: 31536000
autocert_cert_cache: d:\########\VR-Data
When I comment out use_self_signed_SSL: false, I get this error:
velociraptor.exe: error: frontend: Unable to load config file: No Frontend.certificate config
When I leave in use_self_signed_SSL: false, I get a different error:
velociraptor.exe: error: frontend: Unable to load config file: yaml: unmarshal errors:
line 163: field use_self_signed_SSL not found in type proto.FrontendConfig
line 163: field use_self_signed_SSL not found in type proto.FrontendConfig
I'm lost. Any suggestions?
Mike Cohen
Apr 3, 2024, 10:03:12 AM4/3/24
to Paul Siess, velociraptor-discuss
Hi Paul,
The first error means you removed the frontend certificate so the server can not start. You should not remove the internal certificates (they are used for Velociraptor comms). If you want to use an external certificate you need to only add the tls_certificate_filename as you did (in addition to the other certs).
The use_self_signed_SSL option is a client configuration so it goes in the client part.
You might find the documentation helpful:
Thanks
Mike
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/f7ffbdb0-a8a1-486d-9219-2d28d291ac05n%40googlegroups.com.
Paul Siess
Apr 3, 2024, 12:45:05 PM4/3/24
to velociraptor-discuss
Thank you! It's working with our cert now.
Reply all
Reply to author
Forward
0 new messages