Hello,
I am trying to enroll an elastic-agent to a self managed fleet server using the --ca-sha256 parameter.
I have setup the fleet server security following this guide:
If I try to enroll the agent using the following command:
./elastic-agent install --url=<url> --enrollment-token=<token> --certificate-authorities=/path/to/ca.crt
Where ca.crt is the same as in the linked article, that is to say "The CA certificate to use to connect to Fleet Server. This is the CA used to generate a certificate and key for Fleet Server"
Then my elastic agent gets correctly enrolled.
However if I try to enroll using the ca fingerprint:
./elastic-agent install --url=<url> --enrollment-token=<token> --ca-256=<fingerprint of ca.crt>
then I get an error message:
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
Why is there any difference between the 2 options?