Install Veirox Connect on a systemd host
Target: Ubuntu 22.04+, Debian 12+, Rocky 9+, any modern systemd-based
Linux distribution running as root access with outbound HTTPS/WSS to
the Veirox backend.
Prerequisites
- root access on the host
- outbound TCP 443 to the Veirox backend URL
curl,systemctl,sha256sum, and one ofcosignoropenssl
(for manifest signature verification)- A one-time enrollment token from the Veirox UI (Connectors →
Mint enrollment token). Tokens burn on first use and expire in 5
minutes.
Install
curl -fsSL https://veirox.customer.com/api/install.sh \
| sudo env VEIROX_BACKEND_URL=https://veirox.customer.com \
VEIROX_ENROLLMENT_TOKEN=veirox_enr_REPLACE_ME bash
What the installer does
- Detects OS + architecture.
- Fetches the sha256 manifest and its cosign signature, verifies
the signature against a pinned public key baked intoinstall.sh. - Downloads the
veirox-connectorbinary and the hardened systemd
unit, verifies each against the manifest digest. - Creates a dedicated
veirox-connectorsystem user (no shell, no
home directory). - Installs the binary at
/usr/local/bin/veirox-connectorand the
unit at/etc/systemd/system/veirox-connector.service. - Writes a drop-in at
/etc/systemd/system/veirox-connector.service.d/backend.confwith
the backend URL. - Runs
veirox-connector enroll --token ...as theveirox-connector
user — this redeems the one-time token and writes the mTLS cert
triple (cert.pem+key.pem+ca.pem) to/etc/veirox-connector/
at mode 0600. - Enables and starts
veirox-connector.service.
Corporate TLS-inspecting proxy
If your egress passes through a proxy that re-signs outbound TLS
with a private CA, set the corporate CA bundle before installing:
sudo install -m 0644 corp-ca.pem /etc/ssl/veirox-corp-ca.pem
curl -fsSL https://veirox.customer.com/api/install.sh \
| sudo env VEIROX_BACKEND_URL=https://veirox.customer.com \
VEIROX_ENROLLMENT_TOKEN=veirox_enr_xxx \
VEIROX_CONNECTOR_EXTRA_CA_BUNDLE=/etc/ssl/veirox-corp-ca.pem bash
After install, persist the bundle path via a unit drop-in:
sudo tee /etc/systemd/system/veirox-connector.service.d/corp-ca.conf <<EOF [Service] Environment="VEIROX_CONNECTOR_EXTRA_CA_BUNDLE=/etc/ssl/veirox-corp-ca.pem" EOF sudo systemctl daemon-reload sudo systemctl restart veirox-connector
Verify
Run the verification checklist.
Upgrade
Re-run the installer. The installer is idempotent when an mTLS cert
is already on disk: the existing credential is preserved, the binary
and unit are replaced with the published versions, and the service
is restarted.
curl -fsSL https://veirox.customer.com/api/install.sh \
| sudo env VEIROX_BACKEND_URL=https://veirox.customer.com \
VEIROX_ENROLLMENT_TOKEN=$(veirox-cli mint-token --connector my-host) bash
See upgrade.md for the full upgrade workflow.
Uninstall
sudo systemctl disable --now veirox-connector sudo rm -f /etc/systemd/system/veirox-connector.service sudo rm -rf /etc/systemd/system/veirox-connector.service.d sudo rm -rf /etc/veirox-connector /var/lib/veirox-connector sudo rm -f /usr/local/bin/veirox-connector sudo userdel veirox-connector sudo systemctl daemon-reload
Then delete the connector in the Veirox UI (this revokes the cert
and adds it to the CRL).
Troubleshooting
| Symptom | Fix |
|---|---|
manifest signature verification FAILED |
The backend or its TLS is compromised, or the pinned cosign key in install.sh is out of sync. Re-fetch install.sh over HTTPS from the backend and re-run. |
enrollment failed: HTTP 401 |
Token expired (5-minute TTL) or already burned. Mint a new one. |
enrollment failed: HTTP 429 |
Rate-limited: too many enrollment attempts from your source IP. Wait 60 seconds. |
bearer credential on disk but this release build refuses bearer mode |
You're upgrading a host from an OPA-01 agent. Delete /etc/veirox-connector/credential and re-run enroll to receive a fresh mTLS cert triple. |
plaintext ws:// is not supported |
Your backend URL is http://. Use https://. The insecure path is compiled out in release builds. |
| No network IP in the UI connector row | getifaddrs returned nothing (airgapped or IPv6-only). Cosmetic — the agent still works. |