Fleet enroll with --ca-sha256

adrien_moreau · November 27, 2022, 8:43pm

Hello,
I am trying to enroll an elastic-agent to a self managed fleet server using the --ca-sha256 parameter.

I have setup the fleet server security following this guide:

If I try to enroll the agent using the following command:
./elastic-agent install --url=<url> --enrollment-token=<token> --certificate-authorities=/path/to/ca.crt

Where ca.crt is the same as in the linked article, that is to say "The CA certificate to use to connect to Fleet Server. This is the CA used to generate a certificate and key for Fleet Server"

Then my elastic agent gets correctly enrolled.

However if I try to enroll using the ca fingerprint:
./elastic-agent install --url=<url> --enrollment-token=<token> --ca-256=<fingerprint of ca.crt>

then I get an error message:
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority

Why is there any difference between the 2 options?

system · December 25, 2022, 8:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
--ca-sha256 not working for Elastic Agent enrollment; error reported: "fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority" Beats fleet	4	1090	January 12, 2023
Does the '--ca-sha256' command line option for Elastic Agent actually work? Elastic Agent fleet	2	282	February 19, 2024
Adding Fleet Server failed because “x509: certificate signed by unknown authority“ SIEM fleet	6	1855	February 27, 2023
Fleet Server - Certificate Issues Beats elastic-agent	1	399	March 21, 2022
Fleet server installation issue with TLS and certificates Elastic Agent fleet	0	56	October 29, 2024

Fleet enroll with --ca-sha256

Related topics