When you enroll in fleet, almost none of the other fleet settings in the current list (other than fleet URL, enroll, and the enrollment token) matter anymore.
Similarly, none of the Elasticsearch settings matter either as you're getting your configuration from fleet.
So you have two options:
- Add the public certificate of your certificate authority into the docker container and update the ca certificates (annoying) or
- Add the ca certs fingerprint to the output in fleet
You've decided to do number 2 but it is not working. When the trusted fingerprint setting is not working it is almost always caused by one of two things.
- You've incorrectly generated the sha256 of your certificate.
Or
- You've incorrectly setup the certificate on your Elasticsearch node and it does not include the full ca chain.
To check for number 2 simply open your Elasticsearch (at Port 9200, not Kibana!) cluster in a browser and check the certificate, is it all by itself or does it show a certificate chain? Does it go all the way up to your root CA?
If the certificate chain is present you've probably incorrectly generated the sha256 of the certificate.
If the certificate chain is not present, you've incorrectly setup the certificate on your Elasticsearch node. If it's a plaintext ssl crt file, you need to go modify the public certificate on your Elasticsearch nodes and paste in the ca cert so that the public certificate file contains both the public cert and the ca cert.
If you're using a non plaintext certificate format you'll need to use openssl to embed the ca cert into the certificate.
You'll need to do this on each elasticsearch node