Elastic-agent failed to enroll due to TLS access denied alert

This is a really interesting issue.

Code related: elastic-agent/client.go at cda5b7e75d080c6be9e9220dfa607c145cf598b4 · elastic/elastic-agent · GitHub

I've using self-signed CA to deploy elastic-agent in internal environment, enrolling *nix agent works perfect cuz I've previously trusted all CAs in local machine.

However, when it comes to Windows 10 / Windows Server 2022, things got changed.

Use the https --url and --enrollment-token with install subcommand of elastic-agent on Windows Server 2022, I got this in DEBUG level logging:

{"log.level":"info","@timestamp":"2023-05-30T23:08:34.717+0800","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":475},"message":"Starting enrollment to URL: https://MY-DOMAIN:8220/","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-05-30T23:08:34.948+0800","log.origin":{"file.name":"remote/client.go","file.line":172},"message":"Request method: POST, path: /api/fleet/agents/enroll, reqID: 01H1PK8A84J9XTADNJ7YG95R5C","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-05-30T23:08:34.949+0800","log.origin":{"file.name":"remote/client.go","file.line":186},"message":"Creating new request to request URL https://MY-DOMAIN:8220/api/fleet/agents/enroll?","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-05-30T23:08:34.960+0800","log.origin":{"file.name":"remote/client.go","file.line":220},"message":"requester 0/1 to host https://MY-DOMAIN:8220/ errored","error":{"message":"Post \"https://MY-DOMAIN:8220/api/fleet/agents/enroll?\": remote error: tls: access denied"},"ecs.version":"1.6.0"}
Error: fail to enroll: fail to execute request to fleet-server: remote error: tls: access denied

So the elastic-agent failed to get installed.

Chrome can access 8220 port (/api/status returned HEALTHY) without any error.

Then I captured traffic using wireshark, things start to get interesting now:

Chrome requesting HTTPS /api/status , working fine:

Elastic-Agent Enroll, failed immediately even before Server Hello:

Comparing ClientHello and Server supported TLS protocol, seems all good:

Left-one is client-hello, right-one is server-hello, so this comparison should result in no issue.

So there must be something wrong and a bug might be here.

BTW, I've confirmed that there is NO PROXY set in the environment.

After analyzing your golang code, I found it just a wrapper of http.Client and write a request client myself like this:

package main

import (

func main() {
	url := "https://MY-DOMAIN:8220/api/fleet/agents/enroll"
	data := `{"a": 1}`

	req, err := http.NewRequest("POST", url, bytes.NewBufferString(data))
	if err != nil {
		fmt.Println("Error creating request:", err)

	client := &http.Client{}
	resp, err := client.Do(req)
	if err != nil {
	defer resp.Body.Close()

	body, err := io.ReadAll(resp.Body)
	if err != nil {
		fmt.Println("Error reading response body:", err)

	fmt.Println("Response body:", string(body))

which works like a charm, and give the HTTP 200 as expected. So there should be no issue on the server side. Also, I do not enable mTLS authentication, only token and password will be used for auth.

Update 1: fleet-server debug logging: elastic_agent.fleet_server [elastic_agent.fleet_server][error] http: TLS handshake error from EOF

So either side must be something wrong in TLS handshake protocol.

I'll continue debugging until I'm tired.

Update 2: I tried to reverse proxy fleet-server using Caddy to eliminate the range of troubleshooting, and curl returns 200 as expected, but same TLS access denied alert occurred when using Elastic Agent after client-hello reached reverse proxy server. So I guess the problem is from client side.

Then I set GODEBUG=http2debug=2 to check if it could dump http/2 frame data, of course, nothing output.

End: ESET blocked my website access without any alert.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.