Elastic agent is unable to enroll to fleet

Elastic Stack Beats
, ,
1

Hi

I have used this documentation

to setup fleet
but when I try to do the 2nd step in that document to add elastic agent to the fleet am getting an error

2022-04-05T21:42:01.934Z        WARN    [tls]   tlscommon/tls_config.go:101     SSL/TLS verifications disabled.
2022-04-05T21:42:02.421Z        INFO    cmd/enroll_cmd.go:454   Starting enrollment to URL: http://fleet server ip:8220/
2022-04-05T21:42:23.606Z        WARN    cmd/enroll_cmd.go:465   Remote server is not ready to accept connections, will retry in a moment.
D:\Elastic\elastic-agent-7.17.2-windows-x86_64>2022-04-05T21:43:23.622Z INFO    cmd/enroll_cmd.go:472   Retrying enrollment to URL: http://fleet server ip:8220/
Error: fail to enroll: fail to execute request to fleet-server
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/7.17/fleet-troubleshooting.html
2

You need to replace the fleet server ip with the IP address of the Fleet Server.

3

ya in the actual script , it is the ip, just changed it here before posting it, I mentioned it as fleet server ip

4

What command-line command are you using to enroll?

should it be http or https ? If https are you checking with the --insecure flag ?

5

command used is

.\elastic-agent.exe install --url=http://fleet server ip:8220 --enrollment-token=**********== --insecure
6

You should only use --insecure with https, not needed for http.

Also have you checked the fleet server is responding in that url ?

curl -f  http://fleet server ip:8220 
curl -f  https://fleet server ip:8220
7

I tried without using --insecure for http it gives an error and prompts to use --insecure.
curl command is actually not working in the windows server I am using. but I tried accessing http://fleet server ip:8220 from the browser and it gives an error "cannot reach this page"

8

Sorry, what is the response when you run this from the command-line?

curl -f http://<fleet-server-url>:8220/api/status
10

curl: (7) Failed to connect to fleet-server-ip port 8220 after 1011 ms: Connection refused

11

For both addresses http / https ?

12

For both http and https it gives the same error

13

My Elk stack only had minimal security in the beginning then I was able to add a fleet server but now I setup SSL security for the elk stack and the fleet server which I added earlier was showing offline so I unenrolled it and when I try to do it again now I am unable to add the fleet server as well

Command I am running to add the fleet server is

.\elastic-agent.exe install --fleet-server-es=https://elasticsearch-ip:9200 --fleet-server-service-token=********** --fleet-server-policy=******* --fleet-server-insecure-http

It gives the output

Elastic Agent will be installed at C:\Program Files\Elastic\Agent and will run as a service. Do you want to continue? [Y/n]:y
{"log.level":"info","@timestamp":"2022-04-11T21:01:19.465Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":727},"message":"Waiting for Elastic Agent to start","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-04-11T21:01:25.470Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":777},"message":"Fleet Server - Starting","ecs.version":"1.6.0"}
Error: fleet-server failed: context canceled
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.1/fleet-troubleshooting.html
Error: enroll command failed with exit code: 1
14

You cant ahh the fleet server with insecure-http and then try to add clients via ssl.

Try one thing at a time? How do you want your setup to be ? http / https ?
For https, do you have certificates? Self-signed or not ?

15

want the setup to be https.
For https, I have self-signed certificates.

16

then you need to setup your Fleet server as https with those certificates and not how you are currently doing it

17

tried this command too

.\elastic-agent.exe install --url=https://fleet server ip:8220 --fleet-server-es=https://elasticsearch ip:9200 --fleet-server-service-token=******** --fleet-server-policy=********** --certificate-authorities=/usr/share/elasticsearch/ca --fleet-server-es-ca=/usr/share/elasticsearch/elastic-stack-ca.p12 --fleet-server-cert= /etc/elasticsearch/ca.crt --fleet-server-cert-key=/etc/elasticsearch/ca.key

gives an output

Error: --certificate-authorities must be provided as an absolute path
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.1/fleet-troubleshooting.html
18

This doesn't have an extention, it is just ca. Probably one of the reasons you are getting and issue.

19

used this article Encrypt traffic in clusters with a self-managed Fleet Server | Fleet and Elastic Agent Guide [8.1] | Elastic
so when I generated the ca for fleet using the command ./bin/elasticsearch-certutil ca --pem and extracted it got a folder called ca

root@ip-elasticsearch ip:/usr/share/elasticsearch# ll
total 896
drwxr-xr-x   9 root root   4096 Apr  8 18:35 ./
drwxr-xr-x 127 root root   4096 Apr  8 14:10 ../
-rw-rw-r--   1 root root 858797 Mar 29 21:25 NOTICE.txt
-rw-r--r--   1 root root   2710 Mar 29 21:24 README.asciidoc
drwxr-xr-x   2 root root   4096 Apr  8 18:23 bin/
drwxr-xr-x   2 root root   4096 Apr  8 19:08 ca/
-rw-------   1 root root   3596 Apr  7 21:17 elastic-certificates.p12
-rw-------   1 root root   2672 Apr  7 21:17 elastic-stack-ca.p12
-rw-------   1 root root   2515 Apr  8 18:29 elastic-stack-ca.zip
drwxr-xr-x   2 root root   4096 Apr  8 18:36 fleet-server/
-rw-------   1 root root   2620 Apr  8 18:35 fleet-server.zip
drwxr-xr-x   9 root root   4096 Apr  8 12:44 jdk/
drwxr-xr-x   3 root root   4096 Apr  8 12:44 lib/
drwxr-xr-x  67 root root   4096 Apr  8 12:44 modules/
drwxr-xr-x   2 root root   4096 Mar 28 15:17 plugins/

ca folder has ca.crt and ca.key
and according to the above article used the ca to generate certificates for fleet server

./bin/elasticsearch-certutil cert --name fleet-server --ca-cert /usr/share/elasticsearch/ca/ca.crt --ca-key /usr/share/elasticsearch/ca/ca.crt  --ip fleet server ip --pem

this gave fleet-server.crt, fleet-server.key

so now used the command

.\elastic-agent.exe install --url=https://fleet server ip:8220 --fleet-server-es=https://elasticsearch ip:9200 --fleet-server-service-token=******** --fleet-server-policy=********** --certificate-authorities=/usr/share/elasticsearch/ca --fleet-server-es-ca=/usr/share/elasticsearch/elastic-stack-ca.p12 --fleet-server-cert= /etc/elasticsearch/fleet-server.crt --fleet-server-cert-key=/etc/elasticsearch/fleet-server.key```

If this is not the correct process to generate certificates for fleet, could you please guide me with any appropriate link to follow .

Thanks
20

Here you are meant to point to a file and not the whole folder, im sure in that folder, you have a file called ca.crt or ca.pem.

21

tried this as well gives the same error

--certificate-authorities=/usr/share/elasticsearch/ca/ca.crt

output

Error: --certificate-authorities must be provided as an absolute path
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.1/fleet-troubleshooting.html

that is the absolute path to the cert , I don't understand what the error is referring to