Fleet enroll with --ca-sha256

I am trying to enroll an elastic-agent to a self managed fleet server using the --ca-sha256 parameter.

I have setup the fleet server security following this guide:

If I try to enroll the agent using the following command:
./elastic-agent install --url=<url> --enrollment-token=<token> --certificate-authorities=/path/to/ca.crt

Where ca.crt is the same as in the linked article, that is to say "The CA certificate to use to connect to Fleet Server. This is the CA used to generate a certificate and key for Fleet Server"

Then my elastic agent gets correctly enrolled.

However if I try to enroll using the ca fingerprint:
./elastic-agent install --url=<url> --enrollment-token=<token> --ca-256=<fingerprint of ca.crt>

then I get an error message:
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority

Why is there any difference between the 2 options?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.