Fleet-Server Certificate issue

Aniket_Pant · March 27, 2023, 3:22pm

Hi Community,

xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/elk.key
xpack.security.http.ssl.certificate: certs/elk.cer
xpack.security.http.ssl.certificate_authorities: certs/rootCA.cer

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

rootCA.cer certificate i created using openssl for testing purpose.

Generate certificates for fleet-server
bin/elasticsearch-certutil cert --name fleet-server --ca-cert rootCA.crt --ca-key rootCA.key --ip 139.59.2.1 --pem
Run elastic-agent command to install fleet
./elastic-agent install --url=https://139.59.2.1:8220
--fleet-server-es=https://139.59.2.1:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2Nzk5MzAyNTI0NTA6Y25wbVk1TnVUc3FGTE5GNUhGYjFSZw
--fleet-server-policy=fleet-server-policy
--certificate-authorities=/usr/share/elasticsearch/rootCA.crt
--fleet-server-es-ca= /usr/share/elasticsearch/rootCA.crt
--fleet-server-cert=/usr/share/elasticsearch/fleet-server/fleet-server.crt
--fleet-server-cert-key=/usr/share/elasticsearch/fleet-server/fleet-server.key

I am getting this error

{"log.level":"info","@timestamp":"2023-03-27T20:48:28.669+0530","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":803},"message":"Fleet Server - Error - x509: cannot validate certificate for 139.59.2.1 because it doesn't contain any IP SANs","ecs.version":"1.6.0"}

Command for generating self signed ca

openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Aniket_Pant · March 29, 2023, 4:34am

Can anyone help me out please

Aniket_Pant · April 2, 2023, 6:18am

Can anyone help me

Cristina_Amico · April 3, 2023, 7:58am

Hello @Aniket_Pant,

Could you specify what version of the stack are you running?

Aniket_Pant · April 3, 2023, 7:59am

I am using 8.2 version.

Cristina_Amico · April 3, 2023, 8:11am

Did you follow the steps in Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.2] | Elastic
to generate the certs?

Aniket_Pant · April 3, 2023, 8:51am

Okay i will follow this steps and let you know.

system · May 1, 2023, 8:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fleet Server Private Certificates Error Elasticsearch fleet	7	62	August 12, 2024
Config SSL/TLS Kibana and Elasticsearch Elasticsearch elastic-stack-security , fleet	5	1352	December 18, 2020
X509: certificate signed by unknown authority + fleet "Set up encryption key" in kibana > fleet Elastic Agent elastic-stack-security , fleet	6	177	July 15, 2024
Fleet - selfhosted production mode 7.16.3 Beats fleet	4	817	February 23, 2022
[Solved] Elasticsearch integration metric settings (elastic-agetnt) Elastic Agent elastic-stack-monitoring , elastic-stack-security	4	42	August 16, 2024

Fleet-Server Certificate issue

Related topics