Hello team!

I receive from my Ubuntu host these logs all the time.

[elastic_agent.metricbeat][info] CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'

[elastic_agent.metricbeat][info] 'ca_trusted_fingerprint' set, looking for matching fingerprints

What can be causing this logs?

Find below my elasticsearch.yml

Enable security features

xpack.security.enabled: true

xpack.security.enrollment.enabled: true

Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents

xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12

Enable encryption and mutual authentication between cluster nodes

xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12

Thanks in advance!

Kind regards,

I followed this thread and still receiving the logs.

Why are you concerned about this message? It's perfectly normal.

Hello Tim,

Wanted to know if my SSL Configuration is correct.

Thanks,

Hello Tim,

Checking again the situation, wanted to know if I can avoid this logs in my Observability Explorer.

I don't think there's any way to avoid them, nor do I understand why you are so keen to do so.

Tools produce informational messages, trying to hide them is futile.

Understandable but it just seems like noise, since it is repeating that message without providing any informational value, as the CA cert and fingerprint ARE configured and found matching. So saying its searching for it and finding it over and over can be a bit of a distraction. After a while you take for granted that it IS configured correctly. If something else were to come up it'd be buried beneath reams of data that isn't providing additional value but it consuming attention and data storage.

I've seen on other occasions that certain settings can be configured for fleet in Kibana, making it so that the setting is natively understood without the need to ping the system for known information. Just for the sake of efficiency is there nothing comparable to that for this particular situation?

There must be a way to disable these 'info' messages from the Elastic agent. I'm seeing about 30 messages / minute from filebeat and metricbeat combined. That's a bit much.

Sample messages:

{"log.level":"info","@timestamp":"2025-01-30T00:46:47.002Z","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}

{"log.level":"info","@timestamp":"2025-01-30T00:46:47.002Z","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}

Or moving these to 'error' or 'debug' log levels seems appropriate.