Previously, I encountered an issue related to x509: certificate signed by unknown authority, as discussed in this Elastic forum thread. Currently, I am performing a migration involving a change in the server IP addresses. Due to certain internal matters at our office, several servers, including our Elastic server, needed to be reassigned new IP addresses.
I collaborated with our DevOps team to first update the IP addresses, since we are using AWS. Then, I regenerated the necessary certificates such as the CA and Fleet Server certificates—using elasticsearch-certutil, ensuring that they reflect the new IP addresses. I also replaced all related configurations in elasticsearch.yml and kibana.yml to match the new certificates.
After that, I unrolled the previously installed Fleet Server agent and cleaned up the agent directory located at /opt/Elastic/Agent. Before proceeding with the new installation, I updated the Elasticsearch output settings on the Kibana dashboard from the old IP to the new IP and replaced the previously copied SSL certificate YAML files with the new ones
from :
ssl:
certificate_authorities:
- |
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIVAO3ItXzqMVrrgXiO8SPQc7GpJDpqMA0GCSqGSIb3DQEB
CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
ZXJhdGVkIENBMB4XDTI1MDUwOTA3MjAzNloXDTI4MDUwODA3MjAzNlowNDEyMDAG
A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzDupwL3uhJx/pEYA0MGKS
IUlnX8GzJFyM8uSpGYk3VtLlroi/cU8Fe+xY0CXxX++rGkP6l163eZV/VlqIOQlr
BmJP6OHRJKXZ/vI99mcxuPyISj5gwy168zODWebmgdtkPoSYWiOc4DxUYU8WXVI5
NAQNDgmq+u53xJ7IsNsZ3J2JRAQZwZJTegvTkoQbNL2ZN5Fvxg1ZF26N78sI8I3I
mkSubPdRBjD6n4rAQGj+H2XhmUmsG79jLL6/lvI172VNOuhBteCZTSDq+ddr5ucb
zrwz19qd2B2qqQSxBlq+F3QG8gSIrUYNXJhAOHas1MNTAjgvNwdetd+/cCjqJh9R
AgMBAAGjYzBhMB0GA1UdDgQWBBTh2QiU6wxQZ76Z71XradEIQkdE5DAfBgNVHSME
GDAWgBTh2QiU6wxQZ76Z71XradEIQkdE5DAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAos5Z7nvZ6hu13v3Dsmjz9D5g
4VE9ycgX3fjwY5N7FiDjb9Hnu9YEBQT7rJk/cqCWvJXeFD5ekO/aC+4gmVz/D64p
MK4GzNWnAIbr4r1zaa6ec/2V6SlNrseOzo2uZAgU4IwDYCgEj/F5kM9gJ70mZiq9
YNFmSRegm2LjApFVZjAjNTB7nN+t0Ci5vBQsk8FSweGXWdkLsFaFsFzCHsU/qu0a
9JUluZ0FFt8DXtq+8D0LVOZZ398Vb/Purz7PteBF2lRPFOH7WCd0nZGPj/O+4HqM
Ut9PCHGt0Rbpq43Je06NBBDu8dECeXVKsf/Zg6dqss3OWveneoERqlZ2ebv9DQ==
-----END CERTIFICATE-----
To new :
ssl:
certificate_authorities:
- |
-----BEGIN CERTIFICATE-----
MIIDWDCCAkCgAwIBAgITWfy9rZOT06rh9CDRZRewycVOijANBgkqhkiG9w0BAQsF
ADA0MTIwMAYDVQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVy
YXRlZCBDQTAeFw0yNTA3MTgxMDA5NDVaFw0yODA3MTcxMDA5NDVaMDQxMjAwBgNV
BAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2VuZXJhdGVkIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3krnSQXU7V05PNfMBALeZeJ8
p5dKD/CuD2wckkA5Eo/t7vNdcGJiI7YYh6+C7/jDDujpFjJgfa4Py7X8W2EQHxww
quxLRyXJEyxISeGtYGzhWs8rq6WvZtcZqU+a65+B3EnCicAlaE9ljY7BUMkLHGH4
EaR7AkQeCSOflEVHQlE5jK4vRsHshPCdQhED1g7aqKCHfLVrdgp3STuqtphuzmHS
gTxaYjUFZDtAG8HfbFjnoQE/gmgo2iMEElEUiC4ET31Qc0nD8IUlZgB2Avi4NWy7
lan2N6grhF1U/MK1IsWMiblY9vCAQVUdFYL02lnWpLlp8kPP8oL0zZjKdVHoEwID
AQABo2MwYTAdBgNVHQ4EFgQUphxSqbhRZdGMRrXlatvJzRc24UQwHwYDVR0jBBgw
FoAUphxSqbhRZdGMRrXlatvJzRc24UQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
Af8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJouItUshAn8cBlQ6X4rQWPX1EQi
VGalouyuUgnC6ZG34RY0UdNMCEU8AHDzZAYnzYjBsF9j+ycNXJsoy0OYUm1Gv3Tq
XrpOX4c3JX/KbITgr6ZFJkmnuOpBCGEcj2M9h1UTSXaoKTN51UafsnZW6zgeH+QS
pOcP1ept5lHwKR8aA+Lok8HLoyIgg7W2tVUSSmINr0mI91vIqFnVFrcVJYUuIsPE
KRL6/je2YCZoNDzKO4xPQbYRwKcelfKHaV2IslyiyuA4jpcdWv2yS/vbvNaFaJoa
wF0hgP1+4gJFm9r69rsZHcs88zzNpeWFYjfbGi3FAkxI6U7p49dyD+ILYYI=
-----END CERTIFICATE-----
After that, I reinstalled the Fleet Server agent on my server (which had previously been removed) using the following command:
sudo ./elastic-agent install --url=https://10.0.0.122:8220 \
--fleet-server-es=https://10.0.0.122:9200 \
--fleet-server-service-token=<MY-TOKEN> \
--fleet-server-policy=fleet-server-policy \
--certificate-authorities=/opt/Elastic/ca/ca.crt \
--fleet-server-es-ca=/opt/Elastic/http_ca.crt \
--fleet-server-cert=/opt/Elastic/fleet-server/fleet-server.crt \
--fleet-server-cert-key=/opt/Elastic/fleet-server/fleet-server.key \
--fleet-server-port=8220 \
--install-servers
and then Error is rise :
but i'm trying to curl with my ca cert :
curl --cacert /opt/Elastic/ca/ca.crt -u elastic:<MY-PASSWORD> https://10.0.0.122:9200
{
"name" : "elastic",
"cluster_name" : "ElasticSIEM",
"cluster_uuid" : "o8RMEwmoSVW6Z8uPmcLJeg",
"version" : {
"number" : "9.0.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "73f7594ea00db50aa7e941e151a5b3985f01e364",
"build_date" : "2025-04-30T10:07:41.393025990Z",
"build_snapshot" : false,
"lucene_version" : "10.1.0",
"minimum_wire_compatibility_version" : "8.18.0",
"minimum_index_compatibility_version" : "8.0.0"
},
"tagline" : "You Know, for Search"
}
I’ve reviewed several tutorials on youtube and similar error cases on this forum, but I’m still stuck. Do you have any suggestions for resolving this error?