Fleet server setup documentation incorrect when using quickstart + (elastic with TLS)

tfriesen · November 5, 2021, 8:38pm

The documentation for setting up a fleet server, both the online guide and via the 'Add a fleet server', don't account for a situation where Elasticsearch is configured with TLS, but you want to use Quickstart for setting up a fleet server.

Selecting quickstart generates the following command:

./elastic-agent install  -f  --fleet-server-es=http://localhost:9200  --fleet-server-service-token=<redacted>  --fleet-server-policy=<redacted>

(Note ES URL is http, not https)

This causes the elastic agent setup to fail with the unhelpful:

2021-11-05T14:48:17.712-0500    INFO    cmd/enroll_cmd.go:372   Generating self-signed certificate for Fleet Server
2021-11-05T14:48:20.398-0500    INFO    cmd/enroll_cmd.go:724   Fleet Server - Starting
2021-11-05T14:48:21.401-0500    INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - EOF
2021-11-05T14:48:27.412-0500    INFO    cmd/enroll_cmd.go:729   Fleet Server - Error - EOF
2021-11-05T14:48:31.419-0500    INFO    cmd/enroll_cmd.go:724   Fleet Server - Restarting
2021-11-05T14:48:32.420-0500    INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - EOF
...
2021-11-05T14:50:17.638-0500    INFO    cmd/enroll_cmd.go:729   Fleet Server - Error - EOF
Error: fleet-server never started by elastic-agent daemon: context canceled
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/7.15/fleet-troubleshooting.html
Error: enroll command failed with exit code: 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/7.15/fleet-troubleshooting.html

If we specify https://localhost:9200 , the command fails due to self-signed certificates, which --insecure does not resolve. Specifying:

./elastic-agent install   -f  --fleet-server-es=https://localhost:9200  --fleet-server-service-token=...   --fleet-server-policy=... --fleet-server-es-ca <path to ES pub cert>

Works.

Perhaps it's a bit of a corner case: Self-signed ES TLS certs + quickstart Fleet, but at least a more helpful error message would be nice.

Don't seem to be the only person who's run into this: Attempting to start Fleet Server fails - #2 by blaker and Fleet server agent unable to start- Connection refused - #3 by Psyhil

system · December 3, 2021, 10:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Setup Fleet on Windows. I cannot get it to work at all Beats fleet	1	434	April 5, 2022
Attempting to start Fleet Server fails Beats fleet	6	2242	October 24, 2021
Fleet Server Fails At Start, No Reason Given Beats fleet	2	765	April 8, 2022
Fleet Server installation issue Beats fleet	2	886	December 9, 2021
Unable to create a fleet server with SSL certificates configured Elastic Agent	4	56	August 9, 2024

Fleet server setup documentation incorrect when using quickstart + (elastic with TLS)

Related topics