I tried to add a fleet server today on a CentOS Server. Because I don’t want to add Agents with the
—insecure flag anymore, I followed this documentation step by step:
I created the
ca.crt that signed the
fleet-server.key certs using elasticsearch-certutil, copied them to the servers
/root/ directory and then executed the following command:
sudo ./elastic-agent install --fleet-server-es=https://10.20.1.6:9200 --fleet-server-service-token=AAEAAWVsYXN0a….WZmVVdnV3QQ --fleet-server-policy=5fe7bce0-b…460-779741d07fee --fleet-server-es-ca-trusted-fingerprint=809ef51507f1c26f788ff3…49dc11ef2bbbbaf96dd592d724 --certificate-authorities=/root/ca.crt --fleet-server-cert=/root/fleet-server.crt --fleet-server-cert-key=/root/fleet-server.key --url=https://fleet.mydomain.com:8220
But as response I got:
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
As far as I know I should get that error when enrolling a new agent to a fleet server which has no verifiable cert chain, but in this case I want to install the secure fleet server in the first place. So why I got this error? Am I overseeing something?
Has no one an idea why this happens?
The client you are running the installer on also has to trust that certificate, I believe.
But I gave it the certificate to use in the first place? I don’t understand.
As far as I know I should get that error when enrolling a new agent to a fleet server which has no verifiable cert chain, but in this case I want to install the secure fleet server in the first place.
In this specific case I think that there is some issue in the configuration that prevents authorising your certificate.
Looking at the command used to enroll the fleet server
sudo ./elastic-agent install \
I notice that you are using
--fleet-server-es-ca-trusted-fingerprint instead of
--fleet-server-es-ca. Did you follow the steps detailed here to configure the CA fingerprint? It can also be configured from Fleet UI by configuring
ssl.certificate_authorities: ["/path/to/your/elasticsearch-ca.crt"] in the Elasticsearch output YAML configuration, as explained in this page