Elastic agent needs elasticseach ca from elastic cloud

logger · November 29, 2023, 7:47pm

Hi there,

currently I am a bit confused with the installation of fleet and elastic-agent.

I am using the elastic cloud for elasticsearch, kibana and fleet.

On my testserver, debian 10, we are behind a proxy. I have exported the env vars and tested with curl to get some endpoints.

curl -XGET "https://<my-cloud-server>.es.eu-west-1.aws.found.io/_cluster/health" -u <myuser> 
curl -XGET "https://<my-cloud-server>.kb.eu-west-1.aws.found.io/api/spaces/space" -u <myuser> 
curl -XGET "https://<my-cloud-server>.kb.eu-west-1.aws.found.io/api/fleet/agent_policies" -u <myuser>

All of them worked so I think the connection is working as it should.
Now the when adding just an agent with fleet server on elastic cloud I use the installation for linux 64.

sudo ./elastic-agent install --url=https://<my-cloud-server>.fleet.eu-west-1.aws.found.io:443 --enrollment-token=<my_wonderful_token>

Kibana acknowledged that there is a new agent. But the Agent did not get the policy yet.

I added the Proxy settings to the systemd file.

Then I restarted the agent and got:

* requester 0/1 to host https://<hash>.fleet.eu-west-1.aws.found.io:443/ errored: Get "https://<hash>.fleet.eu-west-1.aws.found.io:443/api/status?": x509: certificate signed by unknown authority

I have 2 questions for this:

why it uses the "<hash>" in the url instead of my previous url with "<my-cloud-server>"
And why does the cert from the fleet server is signed by an unknown authority?

Maybe someone can explain this to me, I would appreciate it.

Kind regards
Malte

stephenb · November 29, 2023, 10:55pm

logger:

Then I restarted the agent and got:
* requester 0/1 to host https://<hash>.fleet.eu-west-1.aws.found.io:443/ errored: Get "https://<hash>.fleet.eu-west-1.aws.found.io:443/api/status?": x509: certificate signed by unknown authority
I have 2 questions for this:

why it uses the "" in the url instead of my previous url with ""

And why does the cert from the fleet server is signed by an unknown authority?

That is just the deployment id that resolved to your deployment.
In actuality behind the scene your <my-cloud-server> gets resolved to that deployment id, the use friendly is just really an alias.
I am a little unclear on your architecture but did you read this

There are specific instructions for using a proxy... include CLI parameters etc

logger · December 1, 2023, 3:22pm

Hi Stephen,

thanks for your answer.

I think I found the problem. Since I exported the proxy urls and tested all connections via curl, I thought it would work.

It looks like when installing the elastic-agent as fleet you need to add --proxy-url because the command line wont use the exported settings.

After that the fleet server is installed correctly.

May I ask another question or should I open a new thread?

Question: Does the agent need a direct connection to the elastic-cloud when using a logstash as output?

Context: We dont want to open the proxy/firewall that every client has a connection to elastic-cloud. All should be send via a "relais-server" as a single point in the internal network. And then the logstashes will send the whole data to the elastic cloud.

stephenb · December 1, 2023, 4:55pm

There are 2 paths of communication.

The Data Path (Many Agents -> Output / Logstash -> Elasticsearch )

The Control Path (Many Agents -> Proxy -> Fleet) I think you are asking can this communication path can be via a proxy I think the answer is yes,

I have not personally set that up with the proxy.

Not sure if that is what you are asking...

I have set up the Many Agents -> Output / Logstash -> Elasticsearch Architecture that works just fine you just need to follow the instructions very very closely especially all the self signed certs and setting up logstash SSL pipelines etc

logger · December 1, 2023, 7:20pm

Hi Stephen,

thanks for the quick answer.

Our setup is

local network ( multiple elastic-agents) -> relais-server (fleet and logstash) -> proxy -> elastic cloud

The best for us would be that only our relais-server would get access to ealstic-cloud.

That when rollout some new elastic-agents we would like to have only access to the fleet-server (LAN) and logstash (LAN)

But many thanks. I will try set up all of it.

stephenb · December 1, 2023, 7:28pm

Ahhh so your fleet is local... then Yes... I think the Agents will talk to the local Fleet...

Fleet will need to talk to Elasticsearch though

Back to the Diagram... on this page keep that in mind

In your case the Data and Monitoring can go through Logstash... I am pretty sure

logger · December 1, 2023, 7:38pm

Awesome,

I test it tomorrow and get back to you.

Thanks for your advices.

system · December 29, 2023, 7:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get Fleet Agent to use CA Cert w/ Elasticsearch? Elasticsearch fleet	4	858	April 1, 2021
Elastic Agent/Fleet Server cannot connect to elasticsearch Beats elastic-agent	7	2561	January 24, 2022
Elastic Agents CA questions… Kibana fleet	2	392	March 25, 2022
Need help with Elastic agent installation Elastic Agent fleet	4	842	August 14, 2023
Fleet Server - Error - failed version compatibility check with elasticsearch: x509: certificate signed by unknown authority Elastic Agent	1	351	August 28, 2024

Elastic agent needs elasticseach ca from elastic cloud

Related topics