Enrolling Fleet server

Elastic Stack Elastic Agent
,
1

Hello !

We are having trouble to enroll fleet server on our host.

We are working with :

  • Windows Server 2019 Standard
  • Elasticsearch / Kibana / Elastic-Agent version 8.4.2 (same issue with 8.4.1)
  • We try to enroll Fleet server on the same server as the one hosting Elasticsearch and Kibana (10.20.1.39)

When we try enroll our Fleet server with "Quick Start" :


.\elastic-agent.exe install `
>>   --fleet-server-es=https://10.20.1.39:9200 `
>>   --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NjQyODU5MjgwMDE6U3ZONHJMVDBRcm0yNWZya0NmZkxXQQ `
>>   --fleet-server-es-ca-trusted-fingerprint=dfce3348dbc202e218152b8d8bae874fdd5c8c85041ebaf2c9d9da135375bb91 `
>>   --insecure

We are getting the output :

Elastic Agent will be installed at C:\Program Files\Elastic\Agent and will run as a service. Do you want to continue? [Y/n]:Y
Error: failed to communicate with elastic-agent daemon; is elastic-agent running?
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.4/fleet-troubleshooting.html
Error: enroll command failed with exit code: 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.4/fleet-troubleshooting.html

Here's our config files :

cluster.name: siem
node.name: node-1
path.data: D:\Exploit\data
path.logs: D:\Exploit\logs\elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node

xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

KIBANA :

logging.appenders.default:
  type: file
  fileName: D:\Exploit\logs\kibana\kibana.log
  layout:
    type: json

# This section was automatically generated during setup.
elasticsearch.hosts: ['https://10.20.1.39:9200']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NjQyODM5MjAzNjU6NVR5VlBoWWdTaENBd2tWWS1wZGFldw
elasticsearch.ssl.certificateAuthorities: ['D:\ELK\kibana\data\ca_1664283921924.crt']
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://10.20.1.39:9200'], ca_trusted_fingerprint: dfce3348dbc202e218152b8d8bae874fdd5c8c85041ebaf2c9d9da135375bb91}]

We crawled the troubleshooting guide with no luck. We also tried enrolling with both --fleet-server-insecure-http and --insecure. We got the same error.

The same warning keep displaying in our elastic logs :

[2022-09-27T16:04:31,544][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.20.1.39:9200, remoteAddress=/10.20.1.39:54600}

It seems that there is some kind of certificate issue between Elasticsearch and Fleet. We launched Elasticsearch with security features auto enabled.

We thought that was it while seeing this subject but it didn't work.

We are running out of troubleshooting steps to attempt, any advices or help would be appreciated.

Thanks !!!

2

Hi Benjamin,
do you happen to use a localized (for instance french) version of Windows ?
Not sure if this applies to your case, but it seems like fancy bugs happen when installing agent service on non-english Windows. see Elastic Agent commands not working in Windows 10 in German · Issue #857 · elastic/elastic-agent · GitHub

1 Like
3

Hi Vincent.
Our Windows is french indeed.
We will take a look at this.
Thanks.

4

Hi Vincent.
We started again from an english WIndows and everything seems to work.
Thanks a lot, you saved lot of time for us.

2 Likes
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.