I am using self-generated certs created on the ES master node, running a brand new install of 7.14 - all the server components (Es, Kibana, LS, MB & FB) are talking and working well with each other.
After deploying the Windows agent to a Win 10 machine, it failed to enrol with unsigned cert errors, despite the ca cert being in the trusted root store of the wks. So I installed the agent with the '--insecure' option and it has worked and shows up in Fleet - it all appears normal, however there is no data in the relevant indexes for this host.
The agent logs confirm 'SSL/TLS verifications disabled' - however the Filebeat and Metricbeat logs indicate that no data can be transferred as both services: 'Error: fail to connect - x509: certificate signed by unknown authority'.
The issue is that using --insecure only allow Elastic Agent to communicate with Fleet Server insecurely. It still takes the settings from the policy to communicate with Elasticsearch. You need to modify the output settings inside the Fleet UI in Kibana.
You will want to add the following in the Elasticsearch output configuration (YAML) block:
Thank you for your reply - however I read that the --insecure flag would still allow comms to be encrypted, it would simply disable the checks.
It seems odd that I have to switch off ssl verification accross the board just because I'm using a self-signed cert.
I've updated the Fleet settings as you described and will let you know how I get on - I've also got the ca cert included here:
The problem is, when I remove the verification_mode: none then I start getting x509 errors again, even though the ca certificate is included in the yml, and the ca cert is present in the worksation's certificate store.
Also, according to the agent help, the -c option defines the path to the configuration file, and isn't related to certificates.
While it's working now, I'm not sure we've actually solved the underlying problem here.
I don't want to have an insecure environment.
Note i had this issue before with 7.10, but adding the certificate_authorities entry fixed it and everything worked and was secure. I think we may have taken a step backwards with 7.14?
Sorry the option is -a or --certificate-authorities, miss typed the -c.
You should not need verification_mode: none if you have the certificate authority provided. Most likely its because the hostname of the Elasticsearch does not match the URL provided to connect to Elasticsearch.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.