Hi Community,
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/elk.key
xpack.security.http.ssl.certificate: certs/elk.cer
xpack.security.http.ssl.certificate_authorities: certs/rootCA.cer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
rootCA.cer certificate i created using openssl for testing purpose.
- Generate certificates for fleet-server
bin/elasticsearch-certutil cert --name fleet-server --ca-cert rootCA.crt --ca-key rootCA.key --ip 139.59.2.1 --pem - Run elastic-agent command to install fleet
./elastic-agent install --url=https://139.59.2.1:8220
--fleet-server-es=https://139.59.2.1:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2Nzk5MzAyNTI0NTA6Y25wbVk1TnVUc3FGTE5GNUhGYjFSZw
--fleet-server-policy=fleet-server-policy
--certificate-authorities=/usr/share/elasticsearch/rootCA.crt
--fleet-server-es-ca= /usr/share/elasticsearch/rootCA.crt
--fleet-server-cert=/usr/share/elasticsearch/fleet-server/fleet-server.crt
--fleet-server-cert-key=/usr/share/elasticsearch/fleet-server/fleet-server.key
I am getting this error
{"log.level":"info","@timestamp":"2023-03-27T20:48:28.669+0530","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":803},"message":"Fleet Server - Error - x509: cannot validate certificate for 139.59.2.1 because it doesn't contain any IP SANs","ecs.version":"1.6.0"}
Command for generating self signed ca
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt