Hello !
We are having trouble to enroll fleet server on our host.
We are working with :
- Windows Server 2019 Standard
- Elasticsearch / Kibana / Elastic-Agent version 8.4.2 (same issue with 8.4.1)
- We try to enroll Fleet server on the same server as the one hosting Elasticsearch and Kibana (10.20.1.39)
When we try enroll our Fleet server with "Quick Start" :
.\elastic-agent.exe install `
>> --fleet-server-es=https://10.20.1.39:9200 `
>> --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NjQyODU5MjgwMDE6U3ZONHJMVDBRcm0yNWZya0NmZkxXQQ `
>> --fleet-server-es-ca-trusted-fingerprint=dfce3348dbc202e218152b8d8bae874fdd5c8c85041ebaf2c9d9da135375bb91 `
>> --insecure
We are getting the output :
Elastic Agent will be installed at C:\Program Files\Elastic\Agent and will run as a service. Do you want to continue? [Y/n]:Y
Error: failed to communicate with elastic-agent daemon; is elastic-agent running?
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.4/fleet-troubleshooting.html
Error: enroll command failed with exit code: 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.4/fleet-troubleshooting.html
Here's our config files :
cluster.name: siem
node.name: node-1
path.data: D:\Exploit\data
path.logs: D:\Exploit\logs\elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
KIBANA :
logging.appenders.default:
type: file
fileName: D:\Exploit\logs\kibana\kibana.log
layout:
type: json
# This section was automatically generated during setup.
elasticsearch.hosts: ['https://10.20.1.39:9200']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NjQyODM5MjAzNjU6NVR5VlBoWWdTaENBd2tWWS1wZGFldw
elasticsearch.ssl.certificateAuthorities: ['D:\ELK\kibana\data\ca_1664283921924.crt']
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://10.20.1.39:9200'], ca_trusted_fingerprint: dfce3348dbc202e218152b8d8bae874fdd5c8c85041ebaf2c9d9da135375bb91}]
We crawled the troubleshooting guide with no luck. We also tried enrolling with both --fleet-server-insecure-http and --insecure. We got the same error.
The same warning keep displaying in our elastic logs :
[2022-09-27T16:04:31,544][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.20.1.39:9200, remoteAddress=/10.20.1.39:54600}
It seems that there is some kind of certificate issue between Elasticsearch and Fleet. We launched Elasticsearch with security features auto enabled.
We thought that was it while seeing this subject but it didn't work.
We are running out of troubleshooting steps to attempt, any advices or help would be appreciated.
Thanks !!!