--fleet-server-es-ca option does not work on Windows?

I'm having an issue with elastic agents Windows machines, but they work perfectly on Linux machines.

My fleet server keeps showing the status Unhealthy for elastic agents I've installed on Windows machines. This is the error message I see in C:\Program Files\Elastic\Agent\data\elastic-agent-10dc6a\logs\elastic-agent-20230510-1.ndjson

Failed reading CA certificate: open /etc/certs/archive/elasticsearch-self-signed/ca.crt: The system cannot find the path specified.

Why is my elastic agent trying to use a linux path on a windows machine?

This is the command I ran to start my elastic agent on Windows

 cd C:\elastic-agent-8.7.1-windows-x86_64\
.\elastic-agent.exe install --url=https://fleet.example.net:8220 `
  --enrollment-token=aUt5eEJvZ0JXMzRXa1FUblpRM246WEwxUVBhbGlRZzZ0ODhsWkdHelhJZw== `
  -a C:\elastic-agent-8.7.1-windows-x86_64\ca.crt `
  --fleet-server-es-ca C:\elastic-agent-8.7.1-windows-x86_64\ca.crt 

As you can see, I specified the --fleet-server-es-ca. I was hoping that --fleet-server-es-ca would tell elastic agent where to find the certificate authority. But it seems the elastic agent completely ignores the --fleet-server-es-ca flag.

The --fleet-server-es-ca works perfectly on Ubuntu 20.04. On ubuntu 20.04, the --fleet-server-es-ca will tell the elastic agent the location of the certificate authority necessary to connect with the elasticsearch instance.

What did I do wrong? How do I tell the elastic agent which certificate authority to use on Windows?

I'm glad to assist you with this issue. I encountered a similar problem before and banged my head to get around this.

To resolve the issue, please follow these steps:

  1. Open the Kibana dashboard and navigate to "Fleet -> Settings".
  2. In the settings section, go to "Output" and click on "Edit Output".
  3. In the advanced configuration, you need to paste the content, replacing <ca> with your self-signed authority.

To obtain the content for <your ca>, you can use the following command or open the file with any text editor:

cat ca.crt

Once you have obtained the content, paste it into the advanced configuration as shown below:

ssl:
  certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    <your ca>
    -----END CERTIFICATE-----

By following these steps, you should be able to resolve the issue and configure the necessary SSL settings for the output in Fleet.

Nice that worked!

Now I undersstand. Basically the ssl.certificate_authorities in the fleet > settings > advance.yaml will override the --fleet-server-es-ca option!