Elastic Security Manage - EndPoint not work

Hi ,

When I deleted agents for endpoint , I want to re-add agent to endpoint but not work , even I reinstall fleet server or any hosts to security --> manage --> Endpoint.

references:




Keep showing this to install fleet server.

Please help , thanks!

Installed endpoint defend , it's keep saying communicating with endpoint service , seen not work.
image

Add more logs

17:54:50.673
elastic_agent.endpoint_security
[elastic_agent.endpoint_security][error] Http.cpp:327 CURL error 60: SSL peer certificate or SSH remote key was not OK [SSL: no alternative certificate subject name matches target host name '172.16.xx.xx']
17:54:50.674
elastic_agent.endpoint_security
[elastic_agent.endpoint_security][notice] BulkQueueConsumer.cpp:93 Elasticsearch connection is down

Hello,

Are you using Elastic cloud or having a self hosted solution?

I assume it's Elastic cloud. However I'm confused about the CURL error. I don't think it's normal to see IP address as certificate subject name in Elastic cloud. Maybe DNS is not working correctly?

Could you confirm if I understand correctly the situation:

  1. you have a host with Elastic Agent and Elastic Defend, both up and running
  2. Elastic Agent and Elastic Defend can't communicate with Elastic Cloud
    • you can't see the endpoint in Fleet (or do you see it with UNHEALTHY status?)

Hi Lesio ,

No. I am using self hosted with docker container.

In Fleet , I changed the IP address to my VM from docker IP like (172.18.0.2 Docker) -> (172.16.xx.xx) .

Because the agent always recongized the docker IP address , but it's work for Endpoint , When I changed the docker IP address and agent can sent out data to fleet , but it's not work for endpoint , I guess the http cert not same as docker IP address?

  1. Yes. Both up and agent work , defend keep communicating and struck at SSL.
  2. Agent is work , Defend not work cause SSL. I can't see the endpoint in security manage , in fleet all fine. Yes , it's unhealthy , I guess agent can't send the data to elasticsearch of defend.

@lesio Hello.

Could you help this?

Thanks!

I have no experience with self hosting. I guess you should re-do the certificate setup after changing the IP address.

Elastic Agent installs/uninstalls Elastic Endpoint providing the appropriate config file for Endpoint, so ultimately the config have to be fixed at Fleet/Agent side but we can use Endpoint to narrow down what's wrong:

Could you issue the command:
sudo /opt/Elastic/Endpoint/elastic-endpoint test output

It will print the status of all connections required by Endpoint giving meaningful hint what to fix. First of all check carefully if the printed connections makes sense after the changes in your environment, i.e. do the IP addresses or URLs point where they should.

Hi @lesio

Here is some result of endpoint response

Understand the ES server cannot be trust by endpoint , What do I do?

I should generate Cert for ES or Cert for Fleet Server?

Is it possible to skip the SSL for now?

Hi @lesio

Final I generated the P12 key but I never used this.

elastic-certificates.p12  elastic-stack-ca.p12  http.p12  http_ca.crt  transport.p12

As your command return of result

sudo /opt/Elastic/Endpoint/elastic-endpoint test output

I've carefully check the elastic defend advanced settings.
I observed the linux setting , because we using linux for this endpoint. I checked the setting how to un-check the SSL? however , there is setting for this.


Default is true , I set it to false.

Run the command again

Elasticsearch server: https://172.16.88.70:9200
        Status: Success

It's worked , the hint is SSL: no alternative certificate subject name match es target host name.
So I guess the IP address changed and didn't match the docker ES certificate.

If I want to fixed it that have to re-generate certificate for ES and import the elasticsearch.yml and change the output CA fingerprint.

Here is the final result:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.