Elastic agent offline after upgrade from Fleet

Hi,
Because of the last vulnerabilities from this week affecting Elastic Suite, I've made an upgrade from 8.8.0 to 8.10.3 of all my Elastic Agent from Fleet.

Now all the agents are Offline (and displaying the version as 8.8.0) despite the fact that metrics and logs are still forwarded and properly received...

* requester 0/1 to host https://192.168.202.23:8220/ errored: Post "https://192.168.202.23:8220/api/fleet/agents/c8f50944-ebb2-447a-a030-e3624cac5be7/acks?": x509: cannot validate certificate for 192.168.202.23 because it doesn't contain any IP SANs

Any idea please?
Regards.

So it seems that my certificate doesn't contain any IP SANs...
Do you have any walkthough for updating my certificate on both Elastic Agent and Fleet Server?
As I'm unable to find the configuration file for Fleet Server...

This leads me to a more general question : how to proceed for certificates renewal?

Thanks!

Hi @DaddyYusk

If it's possible for you to re-enroll your fleet server you can re-enroll it with your new certificate following the doc here Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.10] | Elastic

By curiosity I am trying to figure how the certificate became invalid, how did you upgrade your fleet server?

Thanks a lot @nchaulet for the provided link ; this one is already in my bookmarks for quite some times and définitively useful.
But it showcases only a SSL/TLS deployment from scratch, not an update of the certificate (and I didn't found this case in the Elastic documentation...)

One question please : if I re-enroll my fleet server, will I loose all the already enrolled Elastic Agents and need to re-enroll them again on the new Fleet Server?

Regards.

Also I did the upgrade of Elasticsearch, Logstash and Kibana from the packet manager apt.
For the Fleet Server and all Elastic Agents, I did that using Kibana's Fleet UI.

And I should probably register a domain name for the Fleet Server in order to avoid this kind of issues too.

if you re-enroll a fleet server accessible to the same address using the same CA it should be fine for the already enrolled agents.

1 Like

@nchaulet just curious, what would be the answer for this?

How can the users change the certificate used by a Fleet Server on renewal scenarios for example? I could not find anything on the documentation, I opened a topic here about this and also a ticket on support but could not get any answer yet.

1 Like

it's a good question we do not have a proper documentation yet for that, replacing the existing certificates files and restarting agents seems to work (if the certificate use the same CA)

1 Like

That's great to hear.
Do you know if it is possible to explicitely specify a path to the certificate file for Elastic Agent? Which configuration file do I need to edit for that please?
Also what is the default path for the certificate file?
Thanks a lot @nchaulet.

You should be able specify the path when you install your fleet server with --fleet-server-cert=/path/to/fleet-server.crt and --fleet-server-cert-key=/path/to/fleet-server.key

Thanks @nchaulet for the reply!
But I was meaning how to upgrade the certificate file path after a Fleet server install (in case we want to update it). Like editing elastic-agent.yml for example.

One more question please as I don't find the answer in the doc :

  • How to add a SAN (altsubject) in the certificate using ./bin/elasticsearch-certutil ?

Hi @DaddyYusk

I think you can use the -ip or -dns flag when using elasticsearch-certutil cert

1 Like

Hi @nchaulet.

Just a quick update about my state and I can confirm that :

  • Following your "Configure SSL/TLS for self-managed Fleet Servers" link from scratch and then re-enrolling the Fleet-Server didn't lost my already enrolled Elastic-Agents.
  • Overwriting the newly generated certificate (ca.crt) in each Elastic-Agent then restarting it (service) was indeed the way to update the certificate.
  • The 2 above statements solved my issue.

But :

  • Now in Kibana > Fleet, the Elastic-Agents are stuck in "Upgrading" state. How to resolve that please?
  • Overwriting the certificate (ca.crt) was the way to update the certificate for each Elastic-Agent. But what if I need to also change the path of the certificate? How to proceed please?

Once again thanks a lot for all your advices.
Regards.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.