My Elasticsearch and Kibana versions are 8.5.0. When installing the fly, certificate errors are reported all the time. My elasticsearch has set three nodes, and the certificate generated by using the (elasticsearch-certutil ca) command
Adding -- insert or --fleet-server-es-insecure doesn't even work
It's probably because the agent does not trust the Fleet Server cert. You can append --insecure to your elastic-agent install command or add the command line flag to specify the CA cert for the Fleet Server Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.5] | Elastic.
I added the two parameters -- insurance or --fleet-server-es-insecure, but both of them failed. The same error still occurred
Have you configured the Elasticsearch output in Fleet settings?
Have you configured the Fleet server URL in Fleet settings?
no,What should I do?
Go to Kibana > Fleet > Settings, configure the Fleet server URL and Elasticsearch output + SSL.
The steps are mentioned in the doc as well Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.5] | Elastic.
May want to try to re-generate a new Fleet server service token to test.
Is your Elasticsearch listening on http or https?
listening on https .My elasticsearch has set three nodes
I am at loss.
You may want to check if you are using the correct CA cert that you passed to the elastic-agent install command.
Are you using the same cert for all the 3 nodes, or different certs with different CA?
Looks like you are using the auto-generated SSL keys/certs/keystores. If that's the case, each instance generates their own SSL key/cert/keystore and CA, so they are not the same.
Yes, I use it (./bin/elasticsearch-certutil ca )and (./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12)Generate certificate. (./bin/elasticsearch-certutil http)generates http certificates for different nodes
What should I do?
Can you try to use the same CA cert that you used to attempt to install the agent with curl? e.g. curl -v --cacert <path to CA cert> https://...:9200.
You specified --fleet-server-es-ca in elastic-agent install command. Use the same CA cert with curl to try to connect to Elasticsearch, and see if that succeeds.