When I deleted agents for endpoint , I want to re-add agent to endpoint but not work , even I reinstall fleet server or any hosts to security --> manage --> Endpoint.
17:54:50.673
elastic_agent.endpoint_security
[elastic_agent.endpoint_security][error] Http.cpp:327 CURL error 60: SSL peer certificate or SSH remote key was not OK [SSL: no alternative certificate subject name matches target host name '172.16.xx.xx']
17:54:50.674
elastic_agent.endpoint_security
[elastic_agent.endpoint_security][notice] BulkQueueConsumer.cpp:93 Elasticsearch connection is down
Are you using Elastic cloud or having a self hosted solution?
I assume it's Elastic cloud. However I'm confused about the CURL error. I don't think it's normal to see IP address as certificate subject name in Elastic cloud. Maybe DNS is not working correctly?
Could you confirm if I understand correctly the situation:
you have a host with Elastic Agent and Elastic Defend, both up and running
Elastic Agent and Elastic Defend can't communicate with Elastic Cloud
you can't see the endpoint in Fleet (or do you see it with UNHEALTHY status?)
In Fleet , I changed the IP address to my VM from docker IP like (172.18.0.2 Docker) -> (172.16.xx.xx) .
Because the agent always recongized the docker IP address , but it's work for Endpoint , When I changed the docker IP address and agent can sent out data to fleet , but it's not work for endpoint , I guess the http cert not same as docker IP address?
Yes. Both up and agent work , defend keep communicating and struck at SSL.
Agent is work , Defend not work cause SSL. I can't see the endpoint in security manage , in fleet all fine. Yes , it's unhealthy , I guess agent can't send the data to elasticsearch of defend.
I have no experience with self hosting. I guess you should re-do the certificate setup after changing the IP address.
Elastic Agent installs/uninstalls Elastic Endpoint providing the appropriate config file for Endpoint, so ultimately the config have to be fixed at Fleet/Agent side but we can use Endpoint to narrow down what's wrong:
Could you issue the command: sudo /opt/Elastic/Endpoint/elastic-endpoint test output
It will print the status of all connections required by Endpoint giving meaningful hint what to fix. First of all check carefully if the printed connections makes sense after the changes in your environment, i.e. do the IP addresses or URLs point where they should.
sudo /opt/Elastic/Endpoint/elastic-endpoint test output
I've carefully check the elastic defend advanced settings.
I observed the linux setting , because we using linux for this endpoint. I checked the setting how to un-check the SSL? however , there is setting for this.
It's worked , the hint is SSL: no alternative certificate subject name match es target host name.
So I guess the IP address changed and didn't match the docker ES certificate.
If I want to fixed it that have to re-generate certificate for ES and import the elasticsearch.yml and change the output CA fingerprint.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.