Hello there,
When try to configure SSL for the fleet and Join an elc cluster that currently has enabled https refer this article:
In this document, the Elasticsearch-ca.crt confuses me, according the description, it should be the ca of my elastic stack, so I export the ca from the p12 file by this command:
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -chain -out elastic-stack-ca.crt
is there anything wrong with my understanding or operation here?
When I continue following the documentation performing the install operation,
./elastic-agent install -f
--url=https://10.x.x.x:8220
--fleet-server-es=https://pctcs009.elktst.net:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NTA1MDcxMzkyMzU6d2hLX3R5RFQ
--fleet-server-policy=a2013870-ab38-11ec-a6e9-03c37ca20fdb
--fleet-server-es-ca=/usr/share/elastic-agent-8.1.1-linux-x86_64/elastic-certificates.p12
--certificate-authorities=/usr/share/elastic-agent-8.1.1-linux-x86_64/ca.crt
--fleet-server-cert=/usr/share/elastic-agent-8.1.1-linux-x86_64/tctst001.crt
--fleet-server-cert-key=/usr/share/elastic-agent-8.1.1-linux-x86_64/tctst001.key
I get this error message:
fleet-server--8.1.1[]: State changed to FAILED: Error - x509: certificate is not valid for any names, but wanted to match pctcs009
Can anyone help to point out my mistake?
My environment information:
Elasticsearch version is 8.1.1
agent: elastic-agent-8.1.1-linux-x86_64.tar.gz
./bin/Elasticsearch-certutil ca
./bin/Elasticsearch-certutil cert --ca elastic-stack-ca.p12
Elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
very appreciate if someone can help.