Elastic Agent 7.10.1 : javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

hilo21 · January 9, 2021, 2:11pm

Hello,

I was testing the latest version of Elastic Stack 7.10.1. So far, so far following the documentation I managed setup an test environment and setup a small lab.

I am interested in testing (Simulating Attacks) on a machine that has Elastic Agent installed. So far I managed to install it on a windows 7 machine and after pulling my hair over why my Agent is only online for couple of minutes before it goes completely offline I managed to enroll it using Fleet.

My agent is now enrolled but I am not receiving any data. After reviewing Elasticsearch logs I found this error :

[WARN ][o.e.h.AbstractHttpServerTransport] [aio] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/192.168.20.155:9200, remoteAddress=/192.168.20.25:50945}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

This clearly indicates that elasticsearch refusing communication with the machine that has Elastic Agent 192.168.20.25.

I am trying to do the same configuration here as I did for my agents like winlogbeat and filebeat but it doesn't work for me :

outputs:
  default:
    type: elasticsearch
    hosts: [https://192.168.20.155:9200]
    ssl.certificate_authorities: ["C:\Tools\cert\elastic-stack-ca.pem"]
    ssl.verification_mode: none
    username: elastic
    password: elastic

I can't find any documentation on how to configrue elastic agent to use self signed certificates. can you please help or guide me.

Thank you

hilo21 · January 9, 2021, 4:11pm

Okey I solved it, gonna leave this here for others

Did some more digging in github repos. I found this issue :

which lead me to this other one with a workaround :

Because I am just testing this I disabled verification in the action-store.yml file found (in my windows machine) here C:\Program Files\Elastic\Agent\data\elastic-agent-1da173\:

  outputs:
    default:
      api_key: 1Pje5..................
      hosts:
      - https://192.168.20.155:9200
      type: elasticsearch
      ssl.verification_mode: none

K_I_M · February 3, 2021, 3:42pm

kibana.yml

elasticsearch.username: "elastic"
elasticsearch.password: "............"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/ca-test.crt" ]
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/elastic-test-visual.crt
server.ssl.key: /etc/kibana/certs/elastic-test-visual.key
xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.fleet.enabled: true
xpack.encryptedSavedObjects.encryptionKey: "................."

elasticsearch.yml (on test1 node) ...

xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

Transport layer

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/elastic-test1.key
xpack.security.transport.ssl.certificate: certs/elastic-test1.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca-test.crt

HTTP layer

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: certs/elastic-test1.key
xpack.security.http.ssl.certificate: certs/elastic-test1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca-test.crt

on host with elastic-agent:

copy ca-test.crt to /etc/pki/tls/certs/ (centos7) truststore
./elastic-agent enroll https://kibana_host --certificate-authorities /etc/pki/tls/certs/ca-test.crt

ssl.verification oK
Data streams onboard

Thanks for hint