Hey! sure thing:
When deploying the ES cluster for the first time I had to extract the fingerprint of the http certificate by executing the following command in any of the members of the cluster:
openssl x509 -in /usr/share/config/http-certs/ca.crt -sha256 -fingerprint | grep SHA256 | sed 's/://g'
The result of this command is the trusted fingerprint that should be configured on the output section of the fleet settings.
After a year, Elasticsearch renewed the certificate, changing this fingerprint, so the agents with the old fingerprint would throw the x509 error.
The solution was basically updating the fingerprint in the fleet configuration, so it would be propagated automatically through the agents.
I hope this answers on more detail your questions