I have a self-managed fleet server that has a self-signed certificate on it.
I can successfully enrol an agent if I use the following command line options:
--certificate-authorities=elasticsearch-ca.pem --fleet-server-cert=fleet-server.crt --fleet-server-cert-key=fleet-server.key
However, it needs me to place the certs onto each computer from which I want to install the agent.
According to the user documentation (Elastic Agent command reference | Fleet and Elastic Agent Guide [8.11] | Elastic) there is a command line option named "--ca-sha256" which states the following:
"Comma-separated list of certificate authority hash pins used for certificate verification."
So using openssl I obtained the x509 CA certificate sha256 fingerprint from the "elasticsearch-ca.pem" cert - it comes out in the format of XX:XX:XX:...
I place that into the command line using the argument "--ca-sha256" and then remove the --certificate-authorities, --fleet-server-cert and --fleet-server-cert-key options.
The install of the elastic agent then fails with the error:
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
Can anyone assist on this or see if I am doing something wrong?