The certificates were generated using a CSR from Elasticsearch and signed with a Microsoft CA. The ca.crt is in the format of RootCA and IssuingCA in a single certificate (Root CA is offline).
The Elasticsearch nodes and Kibana node appear to work with no issues, https is enabled and certificates are correct in the browser and appear to be trusted through the chain. Cluster is Green and I can manage everything in the Kibana web interface.
Where I have the problem is trying to add a Fleet server into the cluster. I've followed the documentation and the command I'm using to install the Fleet server is:
My best guess is that it contains the leaf certificate & the intermediate, but not the root.
Fingerprint based trust only works if the server provides a copy of the CA. The client (fleet) uses the fingerprint to check that the provided CA has the expected fingerprint. It cannot do that if the CA isn't in the server's chain.
If you want the ES node to provide the CA in the chain, then you need to append the CA to certs/es1fqdn.cer
It originally contained just the certificate for the node 1 server. I have also tried appending the leaf certificate.
So leaf and root need to be appended? Which fingerprint should i use then? Fingerprint of the leafe or the root? Its only Fleet that seems to have an issue with the current setup.
I believe Fleet requires a fingerprint for the root certificate, and the root certificate needs to be in the server's chain.
CA fingerprinting is primarily designed to work with Elasticsearch's security auto-configuration which does not generate an intermediate, and does include the CA in the chain.
It can be used for other configurations, but its goal is to simplify out-of-the-box setups rather than being a universal solution.
Did you configure other products to use the fingerprint or directly reference the CA?
@TimV
I've just tried appending the leaf and root into the Elastic certificates. When installing the Fleet server I get the error "Error - failed version compatibility check with elasticsearch: x509: certificate signed by an unknown authority"
I've got it working, so it looks like you need the leaf and root in the Elastic host certificates and then run the Fleet installer without the fingerprint but use ----fleet-server-es-ca and point it at the ca.crt file on the Fleet server.
I wish the documentation would cover things outside the default setup, I'd have thought this was quite a common install method - there's certainly a lot of unresolved forum posts about TLS/SSL.
@TimV
I was wrong, it's still broken. Same error in the Elasticsearch hosts log. Only found it's still a problem when configuring Elastic Defend and the integration fails on the endpoint as it can't talk to the Elasticsearch servers.
I now have the chain in the certificate on all Elasticsearch hosts and used the fleet-server-es-ca option to point at the ca.crt which contains the leaf and root certificate.
There really needs to be some documentation for self-signed certificates, I can't find any documentation anywhere.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.