Does the '--ca-sha256' command line option for Elastic Agent actually work?

I have a self-managed fleet server that has a self-signed certificate on it.

I can successfully enrol an agent if I use the following command line options:

--certificate-authorities=elasticsearch-ca.pem --fleet-server-cert=fleet-server.crt --fleet-server-cert-key=fleet-server.key

However, it needs me to place the certs onto each computer from which I want to install the agent.

According to the user documentation (Elastic Agent command reference | Fleet and Elastic Agent Guide [8.11] | Elastic) there is a command line option named "--ca-sha256" which states the following:

"Comma-separated list of certificate authority hash pins used for certificate verification."

So using openssl I obtained the x509 CA certificate sha256 fingerprint from the "elasticsearch-ca.pem" cert - it comes out in the format of XX:XX:XX:...

I place that into the command line using the argument "--ca-sha256" and then remove the --certificate-authorities, --fleet-server-cert and --fleet-server-cert-key options.

The install of the elastic agent then fails with the error:

Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority

Can anyone assist on this or see if I am doing something wrong?

Hi, the --ca-sha256 flag is used to pin a specific CA specified by the --certificate-authorities option, not to automatically trust a CA.

The --fleet-server-es-ca-trusted-fingerprint flag is used to by fleet-server to automatically trust a CA that matches the fingerprint (when connecting to Elasticsearch).

We do not have a trusted finger CA for agent->fleet-server connections.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.