Error after migration Elastic "Fleet Server - Error - failed version compatibility check with elasticsearch: x509: certificate signed by unknown authority"

Previously, I encountered an issue related to x509: certificate signed by unknown authority, as discussed in this Elastic forum thread. Currently, I am performing a migration involving a change in the server IP addresses. Due to certain internal matters at our office, several servers, including our Elastic server, needed to be reassigned new IP addresses.

I collaborated with our DevOps team to first update the IP addresses, since we are using AWS. Then, I regenerated the necessary certificates such as the CA and Fleet Server certificates—using elasticsearch-certutil, ensuring that they reflect the new IP addresses. I also replaced all related configurations in elasticsearch.yml and kibana.yml to match the new certificates.

After that, I unrolled the previously installed Fleet Server agent and cleaned up the agent directory located at /opt/Elastic/Agent. Before proceeding with the new installation, I updated the Elasticsearch output settings on the Kibana dashboard from the old IP to the new IP and replaced the previously copied SSL certificate YAML files with the new ones

from :

ssl:
  certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    MIIDWjCCAkKgAwIBAgIVAO3ItXzqMVrrgXiO8SPQc7GpJDpqMA0GCSqGSIb3DQEB
    CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
    ZXJhdGVkIENBMB4XDTI1MDUwOTA3MjAzNloXDTI4MDUwODA3MjAzNlowNDEyMDAG
    A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
    ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzDupwL3uhJx/pEYA0MGKS
    IUlnX8GzJFyM8uSpGYk3VtLlroi/cU8Fe+xY0CXxX++rGkP6l163eZV/VlqIOQlr
    BmJP6OHRJKXZ/vI99mcxuPyISj5gwy168zODWebmgdtkPoSYWiOc4DxUYU8WXVI5
    NAQNDgmq+u53xJ7IsNsZ3J2JRAQZwZJTegvTkoQbNL2ZN5Fvxg1ZF26N78sI8I3I
    mkSubPdRBjD6n4rAQGj+H2XhmUmsG79jLL6/lvI172VNOuhBteCZTSDq+ddr5ucb
    zrwz19qd2B2qqQSxBlq+F3QG8gSIrUYNXJhAOHas1MNTAjgvNwdetd+/cCjqJh9R
    AgMBAAGjYzBhMB0GA1UdDgQWBBTh2QiU6wxQZ76Z71XradEIQkdE5DAfBgNVHSME
    GDAWgBTh2QiU6wxQZ76Z71XradEIQkdE5DAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
    DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAos5Z7nvZ6hu13v3Dsmjz9D5g
    4VE9ycgX3fjwY5N7FiDjb9Hnu9YEBQT7rJk/cqCWvJXeFD5ekO/aC+4gmVz/D64p
    MK4GzNWnAIbr4r1zaa6ec/2V6SlNrseOzo2uZAgU4IwDYCgEj/F5kM9gJ70mZiq9
    YNFmSRegm2LjApFVZjAjNTB7nN+t0Ci5vBQsk8FSweGXWdkLsFaFsFzCHsU/qu0a
    9JUluZ0FFt8DXtq+8D0LVOZZ398Vb/Purz7PteBF2lRPFOH7WCd0nZGPj/O+4HqM
    Ut9PCHGt0Rbpq43Je06NBBDu8dECeXVKsf/Zg6dqss3OWveneoERqlZ2ebv9DQ==
    -----END CERTIFICATE-----

To new :

ssl:
  certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    MIIDWDCCAkCgAwIBAgITWfy9rZOT06rh9CDRZRewycVOijANBgkqhkiG9w0BAQsF
    ADA0MTIwMAYDVQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVy
    YXRlZCBDQTAeFw0yNTA3MTgxMDA5NDVaFw0yODA3MTcxMDA5NDVaMDQxMjAwBgNV
    BAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2VuZXJhdGVkIENBMIIB
    IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3krnSQXU7V05PNfMBALeZeJ8
    p5dKD/CuD2wckkA5Eo/t7vNdcGJiI7YYh6+C7/jDDujpFjJgfa4Py7X8W2EQHxww
    quxLRyXJEyxISeGtYGzhWs8rq6WvZtcZqU+a65+B3EnCicAlaE9ljY7BUMkLHGH4
    EaR7AkQeCSOflEVHQlE5jK4vRsHshPCdQhED1g7aqKCHfLVrdgp3STuqtphuzmHS
    gTxaYjUFZDtAG8HfbFjnoQE/gmgo2iMEElEUiC4ET31Qc0nD8IUlZgB2Avi4NWy7
    lan2N6grhF1U/MK1IsWMiblY9vCAQVUdFYL02lnWpLlp8kPP8oL0zZjKdVHoEwID
    AQABo2MwYTAdBgNVHQ4EFgQUphxSqbhRZdGMRrXlatvJzRc24UQwHwYDVR0jBBgw
    FoAUphxSqbhRZdGMRrXlatvJzRc24UQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
    Af8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJouItUshAn8cBlQ6X4rQWPX1EQi
    VGalouyuUgnC6ZG34RY0UdNMCEU8AHDzZAYnzYjBsF9j+ycNXJsoy0OYUm1Gv3Tq
    XrpOX4c3JX/KbITgr6ZFJkmnuOpBCGEcj2M9h1UTSXaoKTN51UafsnZW6zgeH+QS
    pOcP1ept5lHwKR8aA+Lok8HLoyIgg7W2tVUSSmINr0mI91vIqFnVFrcVJYUuIsPE
    KRL6/je2YCZoNDzKO4xPQbYRwKcelfKHaV2IslyiyuA4jpcdWv2yS/vbvNaFaJoa
    wF0hgP1+4gJFm9r69rsZHcs88zzNpeWFYjfbGi3FAkxI6U7p49dyD+ILYYI=
    -----END CERTIFICATE-----

After that, I reinstalled the Fleet Server agent on my server (which had previously been removed) using the following command:

sudo ./elastic-agent install --url=https://10.0.0.122:8220 \
  --fleet-server-es=https://10.0.0.122:9200 \
  --fleet-server-service-token=<MY-TOKEN> \
  --fleet-server-policy=fleet-server-policy \
  --certificate-authorities=/opt/Elastic/ca/ca.crt \
  --fleet-server-es-ca=/opt/Elastic/http_ca.crt \
  --fleet-server-cert=/opt/Elastic/fleet-server/fleet-server.crt \
  --fleet-server-cert-key=/opt/Elastic/fleet-server/fleet-server.key \
  --fleet-server-port=8220 \
  --install-servers

and then Error is rise :

but i'm trying to curl with my ca cert :

curl --cacert /opt/Elastic/ca/ca.crt -u elastic:<MY-PASSWORD> https://10.0.0.122:9200
{
  "name" : "elastic",
  "cluster_name" : "ElasticSIEM",
  "cluster_uuid" : "o8RMEwmoSVW6Z8uPmcLJeg",
  "version" : {
    "number" : "9.0.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "73f7594ea00db50aa7e941e151a5b3985f01e364",
    "build_date" : "2025-04-30T10:07:41.393025990Z",
    "build_snapshot" : false,
    "lucene_version" : "10.1.0",
    "minimum_wire_compatibility_version" : "8.18.0",
    "minimum_index_compatibility_version" : "8.0.0"
  },
  "tagline" : "You Know, for Search"
}

I’ve reviewed several tutorials on youtube and similar error cases on this forum, but I’m still stuck. Do you have any suggestions for resolving this error?

Hello @neofall

As per below post maybe once check the fingerprint?

Thanks!!

Hi @Tortoise ,

I’ve already tried implementing it with the fingerprint, but it same errors.