Elastic-agent-complete->x509: certificate signed by unknown authority

Amol_Nagotkar · February 27, 2025, 2:59pm

I am using ssl certificate still it is giving error for tls
our certificates are NOT self-signed certificate.
it is certificates issued by a custom Certificate Authority (CA).

version: '3.0'

services:
  elastic-agent:
    image: docker.elastic.co/elastic-agent/elastic-agent-complete:8.16.3
    container_name: elastic-agent
    environment:
      - FLEET_ENROLL=1
      - FLEET_URL=https://elastic-uat.helo.ai:8220
      - FLEET_ENROLLMENT_TOKEN=token
      - SSL_CERTIFICATE_AUTHORITIES=/usr/share/elastic-agent/certs/ca/helo.ai.bundle.crt
      - LOG_LEVEL=debug
      - ELASTICSEARCH_HOSTS=https://elastic.helo.ai:9200
      - FLEET_CA=/usr/share/elastic-agent/certs/ca/helo.ai.bundle.crt
      - ELASTICSEARCH_SSL_CERTIFICATE_AUTHORITIES=/usr/share/elastic-agent/certs/ca/helo.ai.bundle.crt
      - FLEET_SERVER_CERT=/usr/share/elastic-agent/certs/ca/helo.ai.crt
      - FLEET_SERVER_CERT_KEY=/usr/share/elastic-agent/certs/ca/helo.ai.key
      - FLEET_SERVER_ES_CA=/usr/share/elastic-agent/certs/ca/helo.ai.bundle.crt
      - ELASTICSEARCH_USERNAME=elastic
      - ELASTICSEARCH_PASSWORD=password
      - FLEET_INSECURE=true
      - fleet-server-es=https://elastic.helo.ai:9200
      - fleet-server-es-ca=/usr/share/elastic-agent/certs/ca/helo.ai.bundle.crt
      - certificate-authorities=/usr/share/elastic-agent/certs/ca/helo.ai.bundle.crt
      - fleet-server-cert=/usr/share/elastic-agent/certs/ca/helo.ai.crt
      - fleet-server-cert-key=/usr/share/elastic-agent/certs/ca/helo.ai.key
      - ELASTICSEARCH_SSL_VERIFICATION_MODE=certificate
      - FLEET_SERVER_ENABLE=true
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://elastic-uat.helo.ai:8220
      - FLEET_SERVER_SERVICE_TOKEN=token
    privileged: true  # Add this line to enable privileged mode
    cap_add:
      - NET_RAW
      - SETUID
    extra_hosts:
      - "elastic-uat.helo.ai:10.40.13.133"
      - "elastic.helo.ai:10.40.13.132"
    volumes:
      - /var/ssl/helo.ai/helo.ai.bundle.crt:/usr/share/elastic-agent/certs/ca/helo.ai.bundle.crt
      - /var/ssl/helo.ai/helo.ai.key:/usr/share/elastic-agent/certs/ca/helo.ai.key
      - /var/ssl/helo.ai/helo.ai.crt:/usr/share/elastic-agent/certs/ca/helo.ai.crt
    restart: unless-stopped

error---------

elastic-agent    | {"log.level":"error","@timestamp":"2025-02-27T15:09:58.543Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator.(*Coordinator).watchRuntimeComponents","file.name":"coordinator/coordinator.go","file.line":663},"message":"Unit state changed fleet-server-default (STARTING->FAILED): Error - failed version compatibility check with elasticsearch: tls: failed to verify certificate: x509: certificate signed by unknown authority","log":{"source":"elastic-agent"},"component":{"id":"fleet-server-default","state":"HEALTHY"},"unit":{"id":"fleet-server-default","type":"output","state":"FAILED","old_state":"STARTING"},"ecs.version":"1.6.0"}

even with the below command it is giving me same error ->

sudo docker run \
  --env FLEET_ENROLL=1 \
  --env FLEET_URL=https://fleet.helo.ai:8220 \
  --env FLEET_ENROLLMENT_TOKEN=token \
  --env insecure=true \
  --cap-add=NET_RAW \
  --cap-add=SETUID \
  --add-host fleet.helo.ai:10.40.13.133 \
  --rm docker.elastic.co/elastic-agent/elastic-agent-complete:8.16.4

error -------

agent container initialisation - effective capabilities
agent container initialisation - ambient capabilities
agent container initialisation - chown paths
{"log.level":"info","@timestamp":"2025-02-28T08:36:10.388Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).enrollWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":520},"message":"Starting enrollment to URL: https://fleet.helo.ai:8220/","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-02-28T08:36:10.668Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).enrollWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":526},"message":"1st enrollment attempt failed, retrying enrolling to URL: https://fleet.helo.ai:8220/ with exponential backoff (init 1s, max 10s)","ecs.version":"1.6.0"}
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.16/fleet-troubleshooting.html
Error: enrollment failed: exit status 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.16/fleet-troubleshooting.html

Topic		Replies	Views
Cannot Enroll Elastic Agent to Fleet hosted on Elastic Cloud Enterprise Elastic Cloud Enterprise (ECE)	14	2055	September 20, 2020
Elastic Agent show `Error dialing x509: certificate signed by unknown authority` but it is healthy in fleet Elastic Agent	4	4301	May 5, 2023
Elastic-agent: Error dialing x509: certificate signed by unknown authority Beats fleet	6	10334	November 11, 2022
Elastic Agent ca_trusted_fingerprint does not working, but the certificate works Elastic Agent	9	3167	June 30, 2024
Elastic-Agent - metricbeat x509 certificate signed by unknown authority Elasticsearch docker , elastic-agent	2	2063	June 12, 2022

Elastic-agent-complete->x509: certificate signed by unknown authority

Related topics