The documentation for setting up a fleet server, both the online guide and via the 'Add a fleet server', don't account for a situation where Elasticsearch is configured with TLS, but you want to use Quickstart for setting up a fleet server.
Selecting quickstart generates the following command:
./elastic-agent install -f --fleet-server-es=http://localhost:9200 --fleet-server-service-token=<redacted> --fleet-server-policy=<redacted>
(Note ES URL is http, not https)
This causes the elastic agent setup to fail with the unhelpful:
2021-11-05T14:48:17.712-0500 INFO cmd/enroll_cmd.go:372 Generating self-signed certificate for Fleet Server
2021-11-05T14:48:20.398-0500 INFO cmd/enroll_cmd.go:724 Fleet Server - Starting
2021-11-05T14:48:21.401-0500 INFO cmd/enroll_cmd.go:724 Fleet Server - Error - EOF
2021-11-05T14:48:27.412-0500 INFO cmd/enroll_cmd.go:729 Fleet Server - Error - EOF
2021-11-05T14:48:31.419-0500 INFO cmd/enroll_cmd.go:724 Fleet Server - Restarting
2021-11-05T14:48:32.420-0500 INFO cmd/enroll_cmd.go:724 Fleet Server - Error - EOF
...
2021-11-05T14:50:17.638-0500 INFO cmd/enroll_cmd.go:729 Fleet Server - Error - EOF
Error: fleet-server never started by elastic-agent daemon: context canceled
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/7.15/fleet-troubleshooting.html
Error: enroll command failed with exit code: 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/7.15/fleet-troubleshooting.html
If we specify https://localhost:9200 , the command fails due to self-signed certificates, which --insecure does not resolve. Specifying:
./elastic-agent install -f --fleet-server-es=https://localhost:9200 --fleet-server-service-token=... --fleet-server-policy=... --fleet-server-es-ca <path to ES pub cert>
Works.
Perhaps it's a bit of a corner case: Self-signed ES TLS certs + quickstart Fleet, but at least a more helpful error message would be nice.
Don't seem to be the only person who's run into this: Attempting to start Fleet Server fails - #2 by blaker and Fleet server agent unable to start- Connection refused - #3 by Psyhil