error message:x509: certificate signed by unknown authority
[root@efk ~]# curl -f https://localhost:8220/api/status -k
{"name":"fleet-server","status":"HEALTHY"}[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]# curl -u elastic https://localhost:9200 -u elastic -k
Enter host password for user 'elastic':
Enter host password for user 'elastic':
{
"name" : "es01",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "edHT5to3SoKgtbhETY2atg",
"version" : {
"number" : "8.5.3",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "4ed5ee9afac63de92ec98f404ccbed7d3ba9584e",
"build_date" : "2022-12-05T18:22:22.226119656Z",
"build_snapshot" : false,
"lucene_version" : "9.4.2",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
[root@efk ~]# openssl x509 -fingerprint -sha256 -noout -in /data/es/certs/es01/es01.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A
[root@efk ~]#
[root@efk ~]# cat /etc/auditbeat/auditbeat.yml | grep ssl.ca
ssl.ca_trusted_fingerprint: "2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A"
[root@efk ~]#
[root@efk ~]# sudo auditbeat setup
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.3.2.5:9200: Get "https://10.3.2.5:9200": x509: certificate signed by unknown authority]
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]# cd /opt/
containerd/ Elastic/
[root@efk ~]# cd /opt/Elastic/
[root@efk Elastic]# ll
total 4
drwxr-x--- 5 root root 4096 Jan 5 09:05 Agent
[root@efk Elastic]# cd Agent/
[root@efk Agent]# ll
total 11308
drwxr-x--- 4 root root 63 Jan 4 13:26 data
lrwxrwxrwx 1 root root 39 Jan 4 13:26 elastic-agent -> data/elastic-agent-0e1a73/elastic-agent
-rw------- 1 root root 10485800 Jan 5 09:05 elastic-agent-20230104-1.ndjson
-rw------- 1 root root 5399 Jan 4 13:27 elastic-agent-20230104.ndjson
-rw------- 1 root root 92540 Jan 5 09:16 elastic-agent-20230105.ndjson
-rw-r----- 1 root root 9164 Jan 4 13:26 elastic-agent.reference.yml
-rw------- 1 root root 1947 Jan 4 13:26 elastic-agent.yml
-rw------- 1 root root 9127 Jan 4 13:26 elastic-agent.yml.2023-01-04T13-26-55.1298.bak
-rw------- 1 root root 1438 Jan 4 13:27 fleet.enc
-rw------- 1 root root 0 Jan 4 13:26 fleet.enc.lock
-rw-r----- 1 root root 13675 Jan 4 13:26 LICENSE.txt
-rw-r----- 1 root root 929850 Jan 4 13:26 NOTICE.txt
-rw-r----- 1 root root 861 Jan 4 13:26 README.md
drwxr-x--- 4 root root 41 Jan 4 13:26 tls
drwxr-x--- 2 root root 91 Jan 4 13:26 vault
[root@efk Agent]# ./elastic-agent diagnostics collect
Created diagnostics archive "elastic-agent-diagnostics-2023-01-05T03-58-48Z-00.zip"
***** WARNING *****
Created archive may contain plain text credentials.
Ensure that files in archive are redacted before sharing.
*******************
[root@efk Agent]# ll
total 11852
drwxr-x--- 4 root root 63 Jan 4 13:26 data
lrwxrwxrwx 1 root root 39 Jan 4 13:26 elastic-agent -> data/elastic-agent-0e1a73/elastic-agent
-rw------- 1 root root 10485800 Jan 5 09:05 elastic-agent-20230104-1.ndjson
-rw------- 1 root root 5399 Jan 4 13:27 elastic-agent-20230104.ndjson
-rw------- 1 root root 92540 Jan 5 09:16 elastic-agent-20230105.ndjson
-rw-r--r-- 1 root root 554629 Jan 5 11:58 elastic-agent-diagnostics-2023-01-05T03-58-48Z-00.zip
-rw-r----- 1 root root 9164 Jan 4 13:26 elastic-agent.reference.yml
-rw------- 1 root root 1947 Jan 4 13:26 elastic-agent.yml
-rw------- 1 root root 9127 Jan 4 13:26 elastic-agent.yml.2023-01-04T13-26-55.1298.bak
-rw------- 1 root root 1438 Jan 4 13:27 fleet.enc
-rw------- 1 root root 0 Jan 4 13:26 fleet.enc.lock
-rw-r----- 1 root root 13675 Jan 4 13:26 LICENSE.txt
-rw-r----- 1 root root 929850 Jan 4 13:26 NOTICE.txt
-rw-r----- 1 root root 861 Jan 4 13:26 README.md
drwxr-x--- 4 root root 41 Jan 4 13:26 tls
drwxr-x--- 2 root root 91 Jan 4 13:26 vault
Hello, I have read it carefully, but it did not solve my problem.Checked everything I could, I don't know what's wrong.
[root@efk Agent]# ./elastic-agent status
Status: HEALTHY
Message: (no message)
Applications:
* fleet-server (HEALTHY)
Running on policy with Fleet Server integration: d533ea20-8bee-11ed-9eeb-d1f71829fdc7
* filebeat_monitoring (HEALTHY)
Running
* metricbeat_monitoring (HEALTHY)
Running
* metricbeat (HEALTHY)
Running
[root@efk Agent]# cat /etc/auditbeat/auditbeat.yml | grep -B15 ssl.ca
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.3.2.5:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "auditbeat-to-es:OG5TUWY0VUJISDJncG1ZMTJnYi06SEJDeklOdi1TMUc2a0Y3b28xYktNZw=="
username: "elastic"
password: "elastic@123"
# If using Elasticsearch's default certificate
ssl.ca_trusted_fingerprint: "2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A"
[root@efk Agent]#
[root@efk Agent]#
[root@efk Agent]# sudo auditbeat setup
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.3.2.5:9200: Get "https://10.3.2.5:9200": x509: certificate signed by unknown authority]
[root@efk Agent]#
stephenb
January 5, 2023, 6:54am
4
Auditbeat and elastic agent are 2 different components which are you referring to?
Did You install auditbeat separately?
Can you Share your entire auditbeat.yml?
Maybe I didn't express clearly, what I want to solve is the abnormal problem of auditbeat installation.
[root@efk Agent]# cat /etc/auditbeat/auditbeat.yml | egrep -v '^#|^$|^ #|^ #'
auditbeat.modules:
- module: auditd
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- module: system
datasets:
- package # Installed, updated, and removed packages
period: 2m # The frequency at which the datasets check for changes
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
state.period: 12h
user.detect_password_changes: true
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "10.3.2.5:5601"
output.elasticsearch:
hosts: ["10.3.2.5:9200"]
protocol: "https"
username: "elastic"
password: "elastic@123"
ssl.ca_trusted_fingerprint: "2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
stephenb
January 5, 2023, 4:35pm
6
Try this just to see if it connects ... if it does then your trusted fingerprint is not valid ... perhaps check the docs here
openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
Also to help debug from the auditbeat server
curl -u elastic https://localhost:9200 -u elastic -k -v
The -v will show what is expected from a certificate perspective
[root@efk tls]# openssl x509 -fingerprint -sha256 -noout -in /data/es/certs/es01/es01.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A
[root@efk tls]#
[root@efk tls]# curl -u elastic https://localhost:9200 -u elastic -k -v
Enter host password for user 'elastic':
Enter host password for user 'elastic':
* About to connect() to localhost port 9200 (#0)
* Trying ::1...
* Connected to localhost (::1) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=es01
* start date: Dec 30 04:42:54 2022 GMT
* expire date: Dec 29 04:42:54 2025 GMT
* common name: es01
* issuer: CN=Elastic Certificate Tool Autogenerated CA
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzplbGFzdGljQDEyMw==
> User-Agent: curl/7.29.0
> Host: localhost:9200
> Accept: */*
>
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 531
<
{
"name" : "es01",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "edHT5to3SoKgtbhETY2atg",
"version" : {
"number" : "8.5.3",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "4ed5ee9afac63de92ec98f404ccbed7d3ba9584e",
"build_date" : "2022-12-05T18:22:22.226119656Z",
"build_snapshot" : false,
"lucene_version" : "9.4.2",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact
stephenb
January 6, 2023, 2:55am
8
This is a cert issue:
Did you try auditbeat with these settings?
Note the subject name for the cert is
* subject: CN=es01
You are trying to connect with
hosts: ["10.3.2.5:9200"]
the cert subject name and the host / IP you are connecting to do not match
I suspect This is because the certs were created inside docker with only the subject name * subject: CN=es01 so the certificate validation will not work against any other subject name.
If you want to use other IPs / DNS subject names
Assuming you used the default docker-compose you would need to add the IP address here or a Valid DNS name
"instances:\n"\
" - name: es01\n"\
" dns:\n"\
" - es01\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
Also if you want to do this you will need to remove the certs that have already been generated as the startup script will not regenerate them once they have been generated.
system
February 3, 2023, 2:56am
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
