Change agent fingerprint / certificate

Elastic Stack Elastic Agent
1

No - i am not an “elastic crack” but a stupid beginner. I am hosting my elastic - fleet managed - environment to better understand how SIEM is working.

Well - after my certificates got invalid / got outdated i decided to re-generate elasticsearch and kibana certificates from scratch. It was a hard way but i learned a lot about how to configure this.

No i have the last issue - the self signed certificates do not match all the enrolled agents (about 10). Due to this, even the fleet server is not coming up.

status: (FAILED) Error - failed version compatibility check with elasticsearch: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Elastic Certificate Tool Autogenerated CA")

I hoped it is enough to change the fingerprint in the default output but of course the deployed agents still use the old certificates.

Is there any option to

  • get back the fleet server
  • distribute the new certificates to the clients

Guess setting up everything from scratch might be faster but still i think this should be a scenario that can be fixed without loosing everything.

Any help?

2

Are you generating a new CA?

I had few issues using elasticsearch-certutil in the past year and I move to use entirely openssl to generate the CA and certs, storing them in p12 files, say that I needed to add the new CA into the .p12 file in each node plus the new cert, which I think is not your problem.

Do you generate also a new CA? Is yes, Elastic Agent previously created are not trusting the new CA cert, you could around this if you had previously change the ca fingerprint at Fleet configuration. What you can do now is just add them to the system trusted ca certificates, if is Linux, on Windows I have just re-enrolled. I don´t know if elastic agent rely to the Windows Certificates, if it do, you can distribute it using AD policy.

I hope this info can help you somehow.

3

thank you gustavo - i will give it a try. Yes - i also created a new CA. Guess this caused the main problem.

4

so - putting the CA into the trust store did not help. Finally i removed the agent from the fleet server and un-enrolled in fleet and re-installed.
Now “fleet” is back in kibana ui and one by one the clients are re-connecting.

Guess it will take some time to finish but currently it looks good.

5

When changing the certificates related to Elastic Agents you need to check this documentation on how to proceed to avoid major disruption.