Hi, I'm trying to enroll Agent Server with self-generated cerificates. I'm providing all paths as per this guide. However, the enrollment stops and the last lines in the log are as follows:
{"log.level":"info","@timestamp":"2022-10-26T13:33:05.430Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-10-26T13:33:05Z - message: Application: fleet-server--8.4.3[]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-26T13:33:05.430Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-10-26T13:33:05.441Z","log.origin":{"file.name":"process/stdlogger.go","file.line":54},"message":"fleet-server stderr: \"{\\\"level\\\":\\\"info\\\",\\\"time\\\":\\\"2022-10-26T13:33:05Z\\\",\\\"message\\\":\\\"No applicable limit for 0 agents, using default.\\\"}\\n{\\\"level\\\":\\\"info\\\",\\\"time\\\":\\\"2022-10-26T13:33:05Z\\\",\\\"message\\\":\\\"No applicable limit for 0 agents, using default.\\\"}\\n\"","agent.console.name":"fleet-server","agent.console.type":"stderr","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-10-26T13:33:06.948Z","log.origin":{"file.name":"status/reporter.go","file.line":326},"message":"Elastic Agent status changed to \"degraded\": \"app fleet-server--8.4.3-2d584f65: Running on policy with Fleet Server integration: 70dd4490-552a-11ed-9e32-1beb8620f080; missing config fleet.agent.id (expected during bootstrap process)\"","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-26T13:33:06.949Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-10-26T13:33:06Z - message: Application: fleet-server--8.4.3[]: State changed to DEGRADED: Running on policy with Fleet Server integration: 70dd4490-552a-11ed-9e32-1beb8620f080; missing config fleet.agent.id (expected during bootstrap process) - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
And the certificates are indeed mounted to the container:
user@node6:/home/docker/elastic$ sudo docker exec -it elastic-fleet-server bash
root@0d9e834cc058:/usr/share/elastic-agent# ls /usr/share/elasticsearch/config/certs
ca ca.zip certs.zip es01 fleet-server instances.yml
Here's my docker compose config:
fleet-server:
image: docker.elastic.co/beats/elastic-agent:${STACK_VERSION}
container_name: elastic-fleet-server
restart: unless-stopped
user: root # note, synthetic browser monitors require this set to `elastic-agent`
environment:
- FLEET_URL=https://fleet-server:8220
- FLEET_SERVER_HOST=fleet-server
- FLEET_SERVER_PORT=8220
- FLEET_SERVER_ENABLE=true
- FLEET_SERVER_ELASTICSEARCH_HOST=https://es01:9200
- FLEET_SERVER_SERVICE_TOKEN=<token>
- FLEET_SERVER_POLICY_ID=70dd4490-552a-11ed-9e32-1beb8620f080
- FLEET_SERVER_CERT=/usr/share/elasticsearch/config/certs/fleet-server/fleet-server.crt
- FLEET_SERVER_CERT_KEY=/usr/share/elasticsearch/config/certs/fleet-server/fleet-server.key
- FLEET_SERVER_ELASTICSEARCH_CA=/usr/share/elasticsearch/config/certs/ca/ca.crt
# - FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT=<fingerprint>
- FLEET_SERVER_ELASTICSEARCH_INSECURE=true
volumes:
- certs:/usr/share/elasticsearch/config/certs
- /var/run/docker.sock:/var/run/docker.sock:ro
The certs were generated by the same CA as for ES node itself.
However, I can enroll successfully if I provide only fingerprint. I.e. relying on the container to self-generate certificates.