Fleet server Installation error

How do I trouble shoot this error?

localhost:~/elastic-agent-7.15.0-linux-x86_64 # sudo ./elastic-agent install --url=https://172.16.12.18:8220 \
>  -f \
>  --fleet-server-es=https://172.16.12.11:9200 \
>  --fleet-server-service-token=AAEAAWVsYXN0aWMvZlZXQtc2VydmVyL3Rva2VuLTE2MzQ4OTE0ODE0MTg6NXZBMHFoS21TNGFIbXBYRERITEhnQQ \
>   --fleet-server-policy=ae4ebec0-d43a-11eb-9a0c-25c8b2861191 \
>   --certificate-authorities=/root/ca.crt \
>   --fleet-server-es-ca=/root/cert.crt \
>   --fleet-server-cert=/root/fleet-server/fleet-server.crt \
>   --fleet-server-cert-key=/root/fleet-server/fleet-server.key
2021-10-22T09:32:18.524+0100    INFO    cmd/enroll_cmd.go:674   Waiting for Elastic Agent to start
2021-10-22T09:32:21.536+0100    INFO    cmd/enroll_cmd.go:724   Fleet Server - Starting
2021-10-22T09:32:22.539+0100    INFO    cmd/enroll_cmd.go:705   Fleet Server - Running on policy with Fleet Server integration: ae4ebec0-d43a-11eb-9a0c-25c8b2861191; missing config fleet.agent.id (expected during bootstrap process)
2021-10-22T09:32:22.606+0100    INFO    cmd/enroll_cmd.go:432   Starting enrollment to URL: https://172.16.12.18:8220/
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Elastic Certificate Tool Autogenerated CA")
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/7.15/fleet-troubleshooting.html
Error: enroll command failed with exit code: 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/7.15/fleet-troubleshooting.html

Troubleshoot your certificate authority, certificate and key.

1 Like

What certificate should be mentioned for fleet-server-es-ca?

I worked past this by performing the 2-step install/enroll process here: Troubleshoot common problems | Fleet and Elastic Agent Guide [7.15] | Elastic

Once the install was complete, in the fleet.yml file (under the agent install dir), in the fleet.server.output.Elasticsearch.ssl.certificate_authorities section, I ensured that I had both CAs listed. The CA used to sign the Elasticsearch/kibana certs, and the CA used to sign the Fleet certs.

I'm not clear on which command line option is used to set those parameters. My command had my elastic-stack CA, but the file had the fleet CA when I opened it. I've struggled trying to unwrap the maze of certificates.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.