--fleet-server-es-ca option does not work on Windows?

learningelastic · May 10, 2023, 7:38pm

I'm having an issue with elastic agents Windows machines, but they work perfectly on Linux machines.

My fleet server keeps showing the status Unhealthy for elastic agents I've installed on Windows machines. This is the error message I see in C:\Program Files\Elastic\Agent\data\elastic-agent-10dc6a\logs\elastic-agent-20230510-1.ndjson

Failed reading CA certificate: open /etc/certs/archive/elasticsearch-self-signed/ca.crt: The system cannot find the path specified.

Why is my elastic agent trying to use a linux path on a windows machine?

This is the command I ran to start my elastic agent on Windows

 cd C:\elastic-agent-8.7.1-windows-x86_64\
.\elastic-agent.exe install --url=https://fleet.example.net:8220 `
  --enrollment-token=aUt5eEJvZ0JXMzRXa1FUblpRM246WEwxUVBhbGlRZzZ0ODhsWkdHelhJZw== `
  -a C:\elastic-agent-8.7.1-windows-x86_64\ca.crt `
  --fleet-server-es-ca C:\elastic-agent-8.7.1-windows-x86_64\ca.crt

As you can see, I specified the --fleet-server-es-ca. I was hoping that --fleet-server-es-ca would tell elastic agent where to find the certificate authority. But it seems the elastic agent completely ignores the --fleet-server-es-ca flag.

The --fleet-server-es-ca works perfectly on Ubuntu 20.04. On ubuntu 20.04, the --fleet-server-es-ca will tell the elastic agent the location of the certificate authority necessary to connect with the elasticsearch instance.

What did I do wrong? How do I tell the elastic agent which certificate authority to use on Windows?

abhidwi27 · May 22, 2023, 4:21pm

I'm glad to assist you with this issue. I encountered a similar problem before and banged my head to get around this.

To resolve the issue, please follow these steps:

Open the Kibana dashboard and navigate to "Fleet -> Settings".
In the settings section, go to "Output" and click on "Edit Output".
In the advanced configuration, you need to paste the content, replacing <ca> with your self-signed authority.

To obtain the content for <your ca>, you can use the following command or open the file with any text editor:

cat ca.crt

Once you have obtained the content, paste it into the advanced configuration as shown below:

ssl:
  certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    <your ca>
    -----END CERTIFICATE-----

By following these steps, you should be able to resolve the issue and configure the necessary SSL settings for the output in Fleet.

learningelastic · May 30, 2023, 8:48pm

Nice that worked!

Now I undersstand. Basically the ssl.certificate_authorities in the fleet > settings > advance.yaml will override the --fleet-server-es-ca option!

system · June 27, 2023, 8:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Working with Elastic-Agent for both Windows and Linux, unsure on how to change the SSL Certificate Authority Elastic Agent elastic-stack-security	1	25	August 27, 2024
PlainElastic Agent Installation Elastic Agent	3	297	May 19, 2023
Fleet Settings - Elasticsearch output configuration (YAML) Beats fleet	3	712	February 17, 2022
A Question for Configure SSL/TLS for self-managed Fleet Servers Elasticsearch fleet , elastic-agent	1	388	May 24, 2022
Fleet server installation issue with TLS and certificates Elastic Agent fleet	0	56	October 29, 2024

--fleet-server-es-ca option does not work on Windows?

Related topics