An update on this. I was able to resolve the bad certificate issue by copying my ca.crt certificate into the Advanced YAML Configuration Box as suggested here: Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.6] | Elastic
I tried to use
ssl.certificate_authorities: ["/path/to/your/elasticsearch-ca.crt"]
in my kibana.yml file as illustrated here:
xpack.fleet.outputs:
- id: fleet-default-output
name: default
type: elasticsearch
hosts: [https://es01-private-ip:9200]
is_default: true
is_default_monitoring: true
ssl.certificate_authorities: ["/home/ubuntu/certs/ca/ca.crt"]
but I see this error in Kibana
[2023-03-20T16:24:46.902+00:00][ERROR][plugins.encryptedSavedObjects] Failed to encrypt "ssl" attribute: Encryption is disabled because of missing encryption key.
And I am unable to view my the "fleet" interface in Kibana.
So I took out the xpack.fleet.outputs section from kibana.yml file and set those settings manually, including copying and pasting the certificate manually. Now, I am able to install the agent on my fleet server, and the agent is sending data to elasticsearch.
However, when I enroll a new elastic agent in other computes using the agent policy id: agent-policy-apm-server, the agent enrolls successfully, but I think it is sending HTTP traffic to the elasticsearch cluster. I don't know why.
Here is the error I get from elasticserach
[2023-03-20T14:13:01,676][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [es01] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/172.31.3.172:9200, remoteAddress=/192.241.223.42:37588}
[2023-03-20T14:13:02,942][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [es01] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/172.31.3.172:9200, remoteAddress=/192.241.209.135:39526}
I used this command to install the agent on my computer.
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.6.2-linux-x86_64.tar.gz &&
tar xzvf elastic-agent-8.6.2-linux-x86_64.tar.gz &&
cd elastic-agent-8.6.2-linux-x86_64 &&
sudo ./elastic-agent install --url=https://fleet-server-ip:8220 --enrollment-token=c1hnN19vWUJlWUZSNkxkS2V5a0M6ZXc3OWtxckNSS09YYjl0X1l5UXdOUQ== \
--certificate-authorities=/home/kowshik/certs/ca/ca.crt \
--fleet-server-es-ca=/home/kowshik/certs/ca/ca.crt \
--fleet-server-cert=/home/kowshik/certs/fleet-server/fleet-server.crt \
--fleet-server-cert-key=/home/kowshik/certs/fleet-server/fleet-server.key