Adding Fleet Server failed because “x509: certificate signed by unknown authority“

Hello,

I tried to add a fleet server today on a CentOS Server. Because I don’t want to add Agents with the —insecure flag anymore, I followed this documentation step by step:

I created the ca.crt that signed the fleet-server.crt and fleet-server.key certs using elasticsearch-certutil, copied them to the servers /root/ directory and then executed the following command:

sudo ./elastic-agent install --fleet-server-es=https://10.20.1.6:9200 --fleet-server-service-token=AAEAAWVsYXN0a….WZmVVdnV3QQ --fleet-server-policy=5fe7bce0-b…460-779741d07fee --fleet-server-es-ca-trusted-fingerprint=809ef51507f1c26f788ff3…49dc11ef2bbbbaf96dd592d724 --certificate-authorities=/root/ca.crt --fleet-server-cert=/root/fleet-server.crt --fleet-server-cert-key=/root/fleet-server.key --url=https://fleet.mydomain.com:8220

But as response I got:

Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority

As far as I know I should get that error when enrolling a new agent to a fleet server which has no verifiable cert chain, but in this case I want to install the secure fleet server in the first place. So why I got this error? Am I overseeing something?

Has no one an idea why this happens?

Push

The client you are running the installer on also has to trust that certificate, I believe.

But I gave it the certificate to use in the first place? I don’t understand.

Hi @maof97,

As far as I know I should get that error when enrolling a new agent to a fleet server which has no verifiable cert chain, but in this case I want to install the secure fleet server in the first place.

In this specific case I think that there is some issue in the configuration that prevents authorising your certificate.

Looking at the command used to enroll the fleet server

sudo ./elastic-agent install \
--url=https://fleet.mydomain.com:8220 \
--fleet-server-es=https://10.20.1.6:9200 \
--fleet-server-service-token=AAEAAWVsYXN0a….WZmVVdnV3QQ \
--fleet-server-policy=5fe7bce0-b…460-779741d07fee \
--certificate-authorities=/root/ca.crt \
--fleet-server-es-ca-trusted-fingerprint=809ef51507f1c26f788ff3…49dc11ef2bbbbaf96dd592d724 \
--fleet-server-cert=/root/fleet-server.crt \
--fleet-server-cert-key=/root/fleet-server.key

I notice that you are using --fleet-server-es-ca-trusted-fingerprint instead of --fleet-server-es-ca. Did you follow the steps detailed here to configure the CA fingerprint? It can also be configured from Fleet UI by configuring ssl.certificate_authorities: ["/path/to/your/elasticsearch-ca.crt"] in the Elasticsearch output YAML configuration, as explained in this page