Docker elastic-agent certificate signed by unknown authority

Hi. I'm trying to launch elastic-agent in a docker-compose way:

    platform: linux/arm64
    container_name: elastic-agent
    restart: always
    user: root # note, synthetic browser monitors require this set to `elastic-agent`
      - FLEET_ENROLLMENT_TOKEN={{ enrollment_token }} 
      - FLEET_ENROLL=1
      - FLEET_URL={{ elk_url }} 
      - CERTIFICATE_AUTHORITIES={{ cert_path }}/http_ca.crt
      - ./elastic-agent/certs:{{ cert_path }}
      - /var/run/docker.sock:/var/run/docker.sock

When I do docker-compose up I'm getting this:

elastic-agent | Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority

However I was able to:

  1. exec into container and do

elastic-agent enroll -f --url=$FLEET_URL --enrollment-token=$FLEET_ENROLLMENT_TOKEN --certificate-authorities=$CERTIFICATE_AUTHORITIES

{"log.level":"info","@timestamp":"2022-08-26T14:15:37.265Z","log.origin":{"":"cmd/enroll_cmd.go","file.line":461},"message":"Starting enrollment to URL: {{ elk_url }} ","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-08-26T14:15:50.454Z","log.origin":{"":"cmd/enroll_cmd.go","file.line":259},"message":"Elastic Agent might not be running; unable to trigger restart","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
  1. setup agent of same version right on a host (without docker)

elastic-agent install -f --url={{ elk_url }} --enrollment-token={{ enrollment_token }} --certificate-authorities={{ cert_path }}

How do I set up docker-compose elastic-agent to successfully enroll in fleet?

Okay, I've figured it out after diggin into container entrypoint.
An agent is launched by command

elastic-agent container "$@"

And this command has no argument called "CERTIFICATE_AUTHORITIES". Instead you should use "FLEET_CA" variable set.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.