Certificate error occurred when installing the fleet server

My Elasticsearch and Kibana versions are 8.5.0. When installing the fly, certificate errors are reported all the time. My elasticsearch has set three nodes, and the certificate generated by using the (elasticsearch-certutil ca) command
Adding -- insert or --fleet-server-es-insecure doesn't even work

It's probably because the agent does not trust the Fleet Server cert. You can append --insecure to your elastic-agent install command or add the command line flag to specify the CA cert for the Fleet Server Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.5] | Elastic.

I added the two parameters -- insurance or --fleet-server-es-insecure, but both of them failed. The same error still occurred


Have you configured the Elasticsearch output in Fleet settings?

Have you configured the Fleet server URL in Fleet settings?

no,What should I do?

Go to Kibana > Fleet > Settings, configure the Fleet server URL and Elasticsearch output + SSL.

The steps are mentioned in the doc as well Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.5] | Elastic.

I have set it, but the error is still the same

May want to try to re-generate a new Fleet server service token to test.

I tried. It didn't work


When I was in elastic-agent install, this problem occurred in elasticsearch

Is your Elasticsearch listening on http or https?

listening on https .My elasticsearch has set three nodes
image
image
image

I am at loss.
You may want to check if you are using the correct CA cert that you passed to the elastic-agent install command.

Are you using the same cert for all the 3 nodes, or different certs with different CA?

Looks like you are using the auto-generated SSL keys/certs/keystores. If that's the case, each instance generates their own SSL key/cert/keystore and CA, so they are not the same.

Yes, I use it (./bin/elasticsearch-certutil ca )and (./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12)Generate certificate. (./bin/elasticsearch-certutil http)generates http certificates for different nodes
What should I do?

Can you try to use the same CA cert that you used to attempt to install the agent with curl? e.g. curl -v --cacert <path to CA cert> https://...:9200.

Do you mean that

You specified --fleet-server-es-ca in elastic-agent install command. Use the same CA cert with curl to try to connect to Elasticsearch, and see if that succeeds.