Elastic Agent connection to ES fails due to missing hostname in auto-configured certificate

My setup includes Elasticsearch server + Kibana server + Fleet server. version 8.2
Installation done via Linux APT/DEB method with security auto-configured certificates.

The idea of the server setup is to install elastic agent remotely on hosts outside of the network, mostly connecting from the internet. Agents are successfully enrolled via Internet facing fleet server.

Elasticsearch server is also Internet facing and reachable via DNS/IP (Port forwarding via FW)

Fleet server settings for Elasticsearch output includes internet facing DNS address, so freshly enrolled Elastic agents will communicate to the correct DNS address, but connection fails on certificate validation. Problem is that beats agent is complaining about DNS address not being mentioned as hostname in certificate.

So my idea was to re-issue http.p12 certificate to include this DNS name, but Elasticsearch security auto-configured setup did not provide elastic-stack-ca.p12 file, so it is not possible to re-issue http.p12 certificate using the documented procedure.

Maybe within this server setup, this procedure is deprecated.

Any suggestions on what will solve my issue?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.