Hi,
Because of the last vulnerabilities from this week affecting Elastic Suite, I've made an upgrade from 8.8.0 to 8.10.3 of all my Elastic Agent from Fleet.
Now all the agents are Offline (and displaying the version as 8.8.0) despite the fact that metrics and logs are still forwarded and properly received...
* requester 0/1 to host https://192.168.202.23:8220/ errored: Post "https://192.168.202.23:8220/api/fleet/agents/c8f50944-ebb2-447a-a030-e3624cac5be7/acks?": x509: cannot validate certificate for 192.168.202.23 because it doesn't contain any IP SANs
So it seems that my certificate doesn't contain any IP SANs...
Do you have any walkthough for updating my certificate on both Elastic Agent and Fleet Server?
As I'm unable to find the configuration file for Fleet Server...
This leads me to a more general question : how to proceed for certificates renewal?
Thanks a lot @nchaulet for the provided link ; this one is already in my bookmarks for quite some times and définitively useful.
But it showcases only a SSL/TLS deployment from scratch, not an update of the certificate (and I didn't found this case in the Elastic documentation...)
One question please : if I re-enroll my fleet server, will I loose all the already enrolled Elastic Agents and need to re-enroll them again on the new Fleet Server?
Also I did the upgrade of Elasticsearch, Logstash and Kibana from the packet manager apt.
For the Fleet Server and all Elastic Agents, I did that using Kibana's Fleet UI.
@nchaulet just curious, what would be the answer for this?
How can the users change the certificate used by a Fleet Server on renewal scenarios for example? I could not find anything on the documentation, I opened a topic here about this and also a ticket on support but could not get any answer yet.
it's a good question we do not have a proper documentation yet for that, replacing the existing certificates files and restarting agents seems to work (if the certificate use the same CA)
That's great to hear.
Do you know if it is possible to explicitely specify a path to the certificate file for Elastic Agent? Which configuration file do I need to edit for that please?
Also what is the default path for the certificate file?
Thanks a lot @nchaulet.
You should be able specify the path when you install your fleet server with --fleet-server-cert=/path/to/fleet-server.crt and --fleet-server-cert-key=/path/to/fleet-server.key
Thanks @nchaulet for the reply!
But I was meaning how to upgrade the certificate file path after a Fleet server install (in case we want to update it). Like editing elastic-agent.yml for example.
Just a quick update about my state and I can confirm that :
Following your "Configure SSL/TLS for self-managed Fleet Servers" link from scratch and then re-enrolling the Fleet-Server didn't lost my already enrolled Elastic-Agents.
Overwriting the newly generated certificate (ca.crt) in each Elastic-Agent then restarting it (service) was indeed the way to update the certificate.
The 2 above statements solved my issue.
But :
Now in Kibana > Fleet, the Elastic-Agents are stuck in "Upgrading" state. How to resolve that please?
Overwriting the certificate (ca.crt) was the way to update the certificate for each Elastic-Agent. But what if I need to also change the path of the certificate? How to proceed please?
Once again thanks a lot for all your advices.
Regards.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.