Fleet Server - Certificate Challenges!


When i try to register Fleet Server using a certificate, it is getting successfully registered. But the problem is, it is throwing "Generating self-signed certificate for Fleet Server" after executing the command as shown below. This might be the reason when i try to register an VM to this Fleet Server using the certificate i' am getting an exception "x509 certificate signed by unknown authority".

So trying to see if the root cause of the issue is "my fleet server" is not configured properly using CA certificate. Please help.

sudo ./elastic-agent install -f --url=https://XX1prdelkfleet01:8220 \
>  --fleet-server-es=https://mo1prdelkmstr01:9200 \
>  --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NDU0MzU3NTMwMjY6RmduZUU1RGNTeHlEb2lKVHdEVjRRZw \
>   --fleet-server-policy=9de5f020-8e76-11ec-9794-bf083a8b07e7 \
>   --certificate-authorities= /etc/ssl/certs/elkprd.crt \
>   --fleet-server-es-ca= /tmp/elkprd.crt \
>   --fleet-server-cert=  /tmp/elkprd.crt \
>   --fleet-server-cert-key= /tmp/elkprd.key
2022-02-21T06:34:43.470-0500	INFO	cmd/enroll_cmd.go:354	Generating self-signed certificate for Fleet Server
2022-02-21T06:34:45.887-0500	INFO	cmd/enroll_cmd.go:701	Fleet Server - Starting
2022-02-21T06:34:46.888-0500	INFO	cmd/enroll_cmd.go:682	Fleet Server - Running on policy with Fleet Server integration: 9de5f020-8e76-11ec-9794-bf083a8b07e7; missing config fleet.agent.id (expected during bootstrap process)
2022-02-21T06:34:47.692-0500	INFO	cmd/enroll_cmd.go:414	Starting enrollment to URL: https://mo1prdelkfleet01:8220/
2022-02-21T06:34:48.482-0500	INFO	cmd/enroll_cmd.go:252	Successfully triggered restart on running Elastic Agent.

It appears by your config that you are not providing the correct CA cert at line
--fleet-server-es-ca= /tmp/elkprd.crt \

Sample config from one of my environments where our first elasticnode also acts as our CA

--certificate-authorities=/etc/elasticsearch/certificates/elastic-stack-ca.crt \
  --fleet-server-es-ca=/etc/elasticsearch/certificates/elastic-stack-ca.crt \
  --fleet-server-cert=/etc/elasticsearch/certificates/fleet-server.crt \

Also note placing the cert here where required will allow that instance to trust it

/etc/ssl/certs# cp /tmp/elastic-stack-ca.crt ./
Don't forget to run the update command: update-ca-certificates

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.