Hello,
I've built a simple docker compose that will spin up a single node cluster with Elasticsearch, Kibana and a Fleet server and I'm facing an issue where the ca_trusted_fingerprint
is not working as expected.
The compose will create a CA and a certificate using openssl and in a further step it will create a default elasticsearch output in fleet with the sha256 fingerprint of the ca as the value for ca_trusted_fingerprint
.
The issue is that it even with the ca_trusted_fingerprint
configured, the Agent on the fleet container cannot connect to the Elasticsearch container and keeps throwing the unknown authority error.
Error dialing x509: certificate signed by unknown authority
But if I get the certificate and configure in the advanced yml with ssl.certificate_authorities
, it will work.
For example, considering the CA file as ca-siem.pem
, I can get the fingerprint with the following command:
sudo openssl x509 -fingerprint -sha256 -in ca-siem.pem
And the result will be something like this:
sha256 Fingerprint=2F:96:88:4D:A6:20:0B:ED:CA:CE:E9:92:85:99:1E:31:E8:78:75:CD:67:68:4A:82:CD:D3:20:8C:C2:D5:EC:55
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIUcElxHmR8/QJQRmpQ1OXMdmQsFbkwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCQlIxCzAJBgNVBAgMAlJKMRcwFQYDVQQHDA5SSU8gREUg
SkFORUlSTzEUMBIGA1UECgwLU0lFTSBET0NLRVIxDTALBgNVBAsMBFNJRU0wHhcN
MjQwNjI5MDQ0NjAyWhcNMjkwNzAzMDQ0NjAyWjBYMQswCQYDVQQGEwJCUjELMAkG
A1UECAwCUkoxFzAVBgNVBAcMDlJJTyBERSBKQU5FSVJPMRQwEgYDVQQKDAtTSUVN
IERPQ0tFUjENMAsGA1UECwwEU0lFTTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANIyUorRCtZRcH2JMEbT3xInlCakNHu5fUCigx3IA5IgegpJOgXghO2B
25QQ21FJXsvLBEklde+f9BC2AwfST2g8fvqDjCHvnX3MygibfWDXKAvrkTSDqGPR
z07i1DQEyTkkJcuud8d7fuUNZ8LS40n+IPdRBFI0qeHFNoYudIf9e09aqICRO/wZ
EkjR4uV2UjoBXYHNLsn8uDqCd1Zx70deQDuXMYP+9jJ0oWaXfKlt92qGg6TGsthF
9rMX0b2VM22Tw7YvVhYHoH0Pk6f5fphFF0LeSXQEITEP9yCuHHTNGhf5lpkzg5UV
HgKbTx24EmFm48zGeEuhKMjtUfu+tdUCAwEAAaNTMFEwHQYDVR0OBBYEFKSw10ms
wAMXgIlrD2Ns1BjVB2LeMB8GA1UdIwQYMBaAFKSw10mswAMXgIlrD2Ns1BjVB2Le
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAOwTRBloKxr8EGG
Mge2pMpxb5pK6zUwsFe4nhJq/5gxxpNoEALvLRMWA7fGF9UNB6pHEmZzSRyJeDnC
L3sYwgwmcExqfKkDWlDCuvnVcFi3drgDUp86iDuaUs7LrGZYBlbJdk4SaVuSfmd5
mfgrmoqzqeHwZnnJsft6CVlTr2J76EC5tiWsiAvlTPPYq3swugckXLI4IhGV9HHy
cbaA9EHZ0qFi6rkUfGX8NuByPxtUbH6clmxT1LzvQzx9evaMUE+ZIaN2I9n48yFU
0DGCk/bjNG3PLnD/iZwvE29RSMvTW1OwNjWCPMBgwGttXIAcB7DjnBwcqdhkRfj8
kl+ZnaI=
-----END CERTIFICATE-----
The ca_trusted_fingerprint
would then be configured to use 2F96884DA6200BEDCACEE99285991E31E87875CD67684A82CDD3208CC2D5EC55
as the value.
But this will lead to errors regarding the fingerprint and the unkown authority:
{"log.level":"info","@timestamp":"2024-06-29T04:56:58.691Z","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-06-29T04:56:58.691Z","message":"no CA certificate matching the fingerprint","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"tls","log.origin":{"file.line":208,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-06-29T04:56:58.691Z","message":"Error dialing x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.origin":{"file.line":38,"file.name":"transport/logging.go","function":"github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2"},"service.name":"metricbeat","address":"elasticsearch:9200","log.logger":"esclientleg","network":"tcp","ecs.version":"1.6.0","ecs.version":"1.6.0"}
But if I use the certificate in the advanced yaml configuration it will work.
ssl.certificate_authorities:
- |
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIUcElxHmR8/QJQRmpQ1OXMdmQsFbkwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCQlIxCzAJBgNVBAgMAlJKMRcwFQYDVQQHDA5SSU8gREUg
SkFORUlSTzEUMBIGA1UECgwLU0lFTSBET0NLRVIxDTALBgNVBAsMBFNJRU0wHhcN
MjQwNjI5MDQ0NjAyWhcNMjkwNzAzMDQ0NjAyWjBYMQswCQYDVQQGEwJCUjELMAkG
A1UECAwCUkoxFzAVBgNVBAcMDlJJTyBERSBKQU5FSVJPMRQwEgYDVQQKDAtTSUVN
IERPQ0tFUjENMAsGA1UECwwEU0lFTTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANIyUorRCtZRcH2JMEbT3xInlCakNHu5fUCigx3IA5IgegpJOgXghO2B
25QQ21FJXsvLBEklde+f9BC2AwfST2g8fvqDjCHvnX3MygibfWDXKAvrkTSDqGPR
z07i1DQEyTkkJcuud8d7fuUNZ8LS40n+IPdRBFI0qeHFNoYudIf9e09aqICRO/wZ
EkjR4uV2UjoBXYHNLsn8uDqCd1Zx70deQDuXMYP+9jJ0oWaXfKlt92qGg6TGsthF
9rMX0b2VM22Tw7YvVhYHoH0Pk6f5fphFF0LeSXQEITEP9yCuHHTNGhf5lpkzg5UV
HgKbTx24EmFm48zGeEuhKMjtUfu+tdUCAwEAAaNTMFEwHQYDVR0OBBYEFKSw10ms
wAMXgIlrD2Ns1BjVB2LeMB8GA1UdIwQYMBaAFKSw10mswAMXgIlrD2Ns1BjVB2Le
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAOwTRBloKxr8EGG
Mge2pMpxb5pK6zUwsFe4nhJq/5gxxpNoEALvLRMWA7fGF9UNB6pHEmZzSRyJeDnC
L3sYwgwmcExqfKkDWlDCuvnVcFi3drgDUp86iDuaUs7LrGZYBlbJdk4SaVuSfmd5
mfgrmoqzqeHwZnnJsft6CVlTr2J76EC5tiWsiAvlTPPYq3swugckXLI4IhGV9HHy
cbaA9EHZ0qFi6rkUfGX8NuByPxtUbH6clmxT1LzvQzx9evaMUE+ZIaN2I9n48yFU
0DGCk/bjNG3PLnD/iZwvE29RSMvTW1OwNjWCPMBgwGttXIAcB7DjnBwcqdhkRfj8
kl+ZnaI=
-----END CERTIFICATE-----
The certificate works, but the fingerprint does not work, what am I missing?