A Question for Configure SSL/TLS for self-managed Fleet Servers

quhang · April 26, 2022, 6:29am

Hello there,
When try to configure SSL for the fleet and Join an elc cluster that currently has enabled https refer this article:

In this document, the Elasticsearch-ca.crt confuses me, according the description, it should be the ca of my elastic stack, so I export the ca from the p12 file by this command:

openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -chain -out elastic-stack-ca.crt

is there anything wrong with my understanding or operation here?

When I continue following the documentation performing the install operation,
./elastic-agent install -f
--url=https://10.x.x.x:8220
--fleet-server-es=https://pctcs009.elktst.net:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NTA1MDcxMzkyMzU6d2hLX3R5RFQ
--fleet-server-policy=a2013870-ab38-11ec-a6e9-03c37ca20fdb
--fleet-server-es-ca=/usr/share/elastic-agent-8.1.1-linux-x86_64/elastic-certificates.p12
--certificate-authorities=/usr/share/elastic-agent-8.1.1-linux-x86_64/ca.crt
--fleet-server-cert=/usr/share/elastic-agent-8.1.1-linux-x86_64/tctst001.crt
--fleet-server-cert-key=/usr/share/elastic-agent-8.1.1-linux-x86_64/tctst001.key

I get this error message:
fleet-server--8.1.1[]: State changed to FAILED: Error - x509: certificate is not valid for any names, but wanted to match pctcs009

Can anyone help to point out my mistake?

My environment information:

Elasticsearch version is 8.1.1
agent: elastic-agent-8.1.1-linux-x86_64.tar.gz

./bin/Elasticsearch-certutil ca
./bin/Elasticsearch-certutil cert --ca elastic-stack-ca.p12

Elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional

very appreciate if someone can help.

system · May 24, 2022, 6:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need Clarification on How to Obtain ES SSL Certs for Fleet Server Elasticsearch elastic-stack-security , fleet	1	221	May 17, 2022
Fleet server installation issue with TLS and certificates Elastic Agent fleet	0	56	October 29, 2024
Fleet Server - Error - x509: certificate is valid for 127.0.0.1, not x.x.x.x Elastic Security elastic-stack-security , fleet	3	4987	June 27, 2022
Configure Fleet SSL Cert Port 8220 SIEM	3	541	November 29, 2023
Working with Elastic-Agent for both Windows and Linux, unsure on how to change the SSL Certificate Authority Elastic Agent elastic-stack-security	1	25	August 27, 2024

A Question for Configure SSL/TLS for self-managed Fleet Servers

Related topics