Hello community,
i am trying to setup my first fleet server and figured out that i can set the ca fingerprint as default.
So I tried under fFleet > Settings > Output to set as wanted but i am getting the error:
CA trusted fingerprint should be a base64 CA sha256 fingerprint
Docs: Install Elasticsearch with RPM | Elasticsearch Guide [8.0] | Elastic
Does anyone know which format is required?
Best Regards
Hi @EliWallic
Looks like we have a bug in the client validation of this form, I filled this issue on our side and this should be fixed in an upcoming version [Fleet] Output CATrustedFingerPrint validation client side is broken · Issue #125661 · elastic/kibana · GitHub
In the mean time to unlock you, you can edit this settings via the API
curl --request PUT \
--url https://{KIBANA_HOST}/api/fleet/outputs/fleet-default-output \
--header 'kbn-xsrf: xxxx' \
--data '{
"name": "default",
"type": "elasticsearch",
"hosts": [
"https://test.fr"
],
"is_default": true,
"is_default_monitoring": true,
"config_yaml": "#test",
"ca_trusted_fingerprint": "yourfingerprint"
}'Hi @nchaulet
thanks for that. I tried to use your code but got some errors. In my case i had to add --insecure and -u elastic:password
After that I still get an error:
curl -u elastic:password \
--insecure \
--request POST \
--url https://127.0.0.1:5601/api/fleet/outputs/fleet-default-output \
--header 'kbn-xsrf: true' \
--data '{
"name": "default",
"type": "elasticsearch",
"hosts": [
"https://localhost:9200"
],
"is_default": true,
"is_default_monitoring": true,
"config_yaml": "#test",
"ca_trusted_fingerprint": "87:29:43:88:E1.....B5:70:E1:55:91:63"
}'
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Also if I use the webserver instead of the kibana service itself with --url https://localhost/api/fleet/outputs/fleet-default-output \ I am getting the following:
{"statusCode":404,"error":"Not Found","message":"Not Found"}
Not sure whats wrong in any case.
Best Regards
Hi @EliWallic
Are you using TLS on your Kibana instance? if not you should probably replace the https by http for the ca_trusted_fingerprint format you should the use sha256 fingerprint and not the formated version something like 87294388e1...b570e15591631
Hi @nchaulet
Kibana itselt is not configured with TLS only via nginx.
I tried it with:
--url http://localhost:5601/api/fleet/outputs/fleet-default-output
but its still the same error
Best Regards
Did you get this working in the meantime?
I am getting {"statusCode":400,"error":"Bad Request","message":"[......]: definition for this key is missing"} as a reply.
Ok, I might have figured this out - as usual just after I have asked the question ;)...
First I had to get the configured outputs:
curl -u {user}:{pass} --request GET \
--url https://{kibana-host}/api/fleet/outputs
This returned an {ID} I could use instead of fleet-default-output. I also needed an additional Content-Type header:
curl -u {user}:{pass} --request PUT \
--url https://{kibana-host}/api/fleet/outputs/{ID} \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: xxxx' \
--data '{
"name": "default",
"type": "elasticsearch",
"hosts": [
"https://{elasticsearch-host}:9200"
],
"is_default": true,
"is_default_monitoring": true,
"config_yaml": "",
"ca_trusted_fingerprint": "{fingerprint}"
}'
For the fingerprint I used the one without ":", even though both versions seemed to work.
Yes i used the certificate itself in the YAML Advanced configuration:
ssl:
certificate_authorities:
- |
-----BEGIN CERTIFICATE-----
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.