7.14 - Windows agent deployed with Fleet, but not sending data

I am using self-generated certs created on the ES master node, running a brand new install of 7.14 - all the server components (Es, Kibana, LS, MB & FB) are talking and working well with each other.

After deploying the Windows agent to a Win 10 machine, it failed to enrol with unsigned cert errors, despite the ca cert being in the trusted root store of the wks. So I installed the agent with the '--insecure' option and it has worked and shows up in Fleet - it all appears normal, however there is no data in the relevant indexes for this host.
The agent logs confirm 'SSL/TLS verifications disabled' - however the Filebeat and Metricbeat logs indicate that no data can be transferred as both services: 'Error: fail to connect - x509: certificate signed by unknown authority'.

How to fix this?

The issue is that using --insecure only allow Elastic Agent to communicate with Fleet Server insecurely. It still takes the settings from the policy to communicate with Elasticsearch. You need to modify the output settings inside the Fleet UI in Kibana.

You will want to add the following in the Elasticsearch output configuration (YAML) block:

ssl.verification_mode: none
1 Like

Thank you for your reply - however I read that the --insecure flag would still allow comms to be encrypted, it would simply disable the checks.

It seems odd that I have to switch off ssl verification accross the board just because I'm using a self-signed cert.
I've updated the Fleet settings as you described and will let you know how I get on - I've also got the ca cert included here:

ssl.verification_mode: none
ssl.certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    MIIDSjCCAjKgAwIBAgIVAJhEIYMmFVMHCKNhMrEuxBN2GR5oMA0GCSqGSIb3DQEB
    ...
    ...

Okay - that worked - thank you!

If you are adding the certificate_autorities then you can remove the verification_mode: none and it will be more secure.

You can also install the Elastic Agent with the certificate with the -c option, that way it will always verify using the CA.

Glad you got it working!

The problem is, when I remove the verification_mode: none then I start getting x509 errors again, even though the ca certificate is included in the yml, and the ca cert is present in the worksation's certificate store.

Also, according to the agent help, the -c option defines the path to the configuration file, and isn't related to certificates.

While it's working now, I'm not sure we've actually solved the underlying problem here.
I don't want to have an insecure environment.

Note i had this issue before with 7.10, but adding the certificate_authorities entry fixed it and everything worked and was secure. I think we may have taken a step backwards with 7.14?

Sorry the option is -a or --certificate-authorities, miss typed the -c.

You should not need verification_mode: none if you have the certificate authority provided. Most likely its because the hostname of the Elasticsearch does not match the URL provided to connect to Elasticsearch.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.