Error: fleet-server failed: context canceled

hello elastic community
I have a problem trying to configure the fleet server, I have done the following:
Inside Kibana - fleet/settings
Fleet server hosts
I have put my local server 192.0.1.20 with port 8220
Outputs
https://192.0.1.20:9200 // Default SSL

Then I go to Agents and give it Add Fleet Server.
In this screen I am initially choosing the fleet server police https://192.0.1.20:8220

And it appears to me that I add the following on the Linux debian server where I want to install the fleet server.

sudo ./elastic-agent install
--fleet-server-es=https://192.0.1.20:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2ODE1MTU3MjU5Mzk6eEZtdUdjSl9UdXktQ18tdDNfNFl4UQ
--fleet-server-policy=fleet-server-policy

Some Details

  • I only have a linux (debian11) with Kibana, Elasticsearch and right here I want to add the Fleet server.
  • Port 8220 isn't active on the linux (debian11) server
  • The Elasticsearch has the SSL that comes by default in the latest version (I DO NOT use digital certificates)

If I install with /elastic-agent install
--fleet-server-es=https://192.0.1.20:9200 \

I get the following error
{"log.level":"info","@timestamp":"2023-04-14T18:26:57.558-0500","log.origin":{"file.name":"cmd/enroll_cmd.go" ,"file.line":407},"message":"Generating self-signed certificate for Fleet Server","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-04-14T18:27:02.218-0500","log.origin":{"file.name":"cmd/enroll_cmd.go" ,"file.line":770},"message":"Waiting for Elastic Agent to start Fleet Server","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-04-14T18:27:06.222-0500","log.origin":{"file.name":"cmd/enroll_cmd.go" ,"file.line":803},"message":"Fleet Server - Error - x509: certificate signed by unknown authority","ecs.version":"1.6.0"}
Error: fleet-server failed: context canceled
For help, please see our troubleshooting guide at Troubleshoot common problems | Fleet and Elastic Agent Guide [8.7] | Elastic
Error: enroll command failed for unknown reason: exit status 1

but if I install without Https
/elastic-agent install
--fleet-server-es=http://192.0.1.20:9200 \

I get the following:

Installed as a system package, installation will not be altered.
{"log.level":"info","@timestamp":"2023-04-14T18:29:52.671-0500","log.origin":{"file.name":"cmd/enroll_cmd.go" ,"file.line":407},"message":"Generating self-signed certificate for Fleet Server","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-04-14T18:29:56.236-0500","log.origin":{"file.name":"cmd/enroll_cmd.go" ,"file.line":770},"message":"Waiting for Elastic Agent to start Fleet Server","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-04-14T18:30:00.240-0500","log.origin":{"file.name":"cmd/enroll_cmd.go" ,"file.line":803},"message":"Fleet Server - Error - EOF","ecs.version":"1.6.0"}
^CError: fleet-server failed: context canceled
For help, please see our troubleshooting guide at Troubleshoot common problems | Fleet and Elastic Agent Guide [8.7] | Elastic

How can I make the fleet server work?

By default SSL do you mean that for Elasticsearch you didn't provide any certificates?
If so Elasticsearch would generate it's own self signed certificate and output it's fingerprint on initialization.

It looks like you're missing the --fleet-server-es-ca-trusted-fingerprint flag that passes this fingerprint to fleet-server.
It should have been included in the command the UI gives when setting up a fleet-server.

What version are you running?

I have installed the latest version of Elasticsearch 8.7 and it has its own certificate, but KIBANA, hasn't one certificate. In resume , So I have Https for Elasticsearch and Http for Kibana.

I created the fleet server but in elasticsearch it doesn't activate any port, tell me more about --fleet-server-es-ca-trusted-fingerprint

Of Course!
The --fleet-server-es-ca-trusted-fingerprint flag is the SHA256 checksum of the CA that signed the Elasticsearch certificate.
It's an alternative to providing the --certificate-authorities flag.
It should have been provided as part of the fleet-server install command in Kibana.

If it was not provided you can either supply the CA with the --certificate-authorities flag, or compute the checksum of the CA with a tool like openssl:

openssl x509 -noout -fingerprint -sha256 -inform pem -in /path/to/ca.crt

for use with the -fleet-server-es-ca-trusted-fingerprint flag.

All flags are documented in the command reference: Elastic Agent command reference | Fleet and Elastic Agent Guide [8.7] | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.