I tried to add a fleet server today on a CentOS Server. Because I don’t want to add Agents with the —insecure flag anymore, I followed this documentation step by step:
I created the ca.crt that signed the fleet-server.crt and fleet-server.key certs using elasticsearch-certutil, copied them to the servers /root/ directory and then executed the following command:
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
As far as I know I should get that error when enrolling a new agent to a fleet server which has no verifiable cert chain, but in this case I want to install the secure fleet server in the first place. So why I got this error? Am I overseeing something?
As far as I know I should get that error when enrolling a new agent to a fleet server which has no verifiable cert chain, but in this case I want to install the secure fleet server in the first place.
In this specific case I think that there is some issue in the configuration that prevents authorising your certificate.
Looking at the command used to enroll the fleet server
I notice that you are using --fleet-server-es-ca-trusted-fingerprint instead of --fleet-server-es-ca. Did you follow the steps detailed here to configure the CA fingerprint? It can also be configured from Fleet UI by configuring ssl.certificate_authorities: ["/path/to/your/elasticsearch-ca.crt"] in the Elasticsearch output YAML configuration, as explained in this page
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.