Fleet Server x509 Error (GODEBUG=x509ignoreCN=0)


Running into a problem with setting up the Fleet server.

I have a standalone development server running Kibana, Elasticsearch, and Elastic-agent. Very excited to try out the new agent and security features in 7.14! :grin:

When trying to setup the fleet server I run into an error with the certificate being used. Below is command I'm running

sudo elastic-agent enroll --url=https://elastic:8220 \
 -f \
 --fleet-server-es=https://elastic:9200 \
 --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2Mjg5MTM1MDYwODY6VFM4N3RvZmlUb3FibkM4ektmQkx3dw \
  --fleet-server-policy=7c276ea0-fc59-11eb-811b-21110687356f \
  --certificate-authorities=/etc/elastic-agent/certs/ca/fleet-server-ca.crt \
  --fleet-server-es-ca=/etc/elastic-agent/certs/fleet-server.crt \
  --fleet-server-cert=/etc/elastic-agent/certs/fleet-server.crt \

Error message below

2021-08-14T05:40:33.300Z INFO cmd/enroll_cmd.go:526 Spawning Elastic Agent daemon as a subprocess to complete bootstrap process.

2021-08-14T05:40:33.435Z INFO application/application.go:66 Detecting execution mode

2021-08-14T05:40:33.435Z INFO application/application.go:87 Agent is in Fleet Server bootstrap mode

2021-08-14T05:40:33.588Z INFO [api] api/server.go:62 Starting stats endpoint

2021-08-14T05:40:33.588Z INFO application/fleet_server_bootstrap.go:124 Agent is starting

2021-08-14T05:40:33.588Z INFO [api] api/server.go:64 Metrics endpoint listening on: /var/lib/elastic-agent/data/tmp/elastic-agent.sock (configured: unix:///var/lib/elastic-agent/data/tmp/elastic-agent.sock)

2021-08-14T05:40:33.588Z INFO application/fleet_server_bootstrap.go:134 Agent is stopped

2021-08-14T05:40:33.590Z INFO stateresolver/stateresolver.go:48 New State ID is 6ljz3EMv

2021-08-14T05:40:33.590Z INFO stateresolver/stateresolver.go:49 Converging state requires execution of 1 step(s)

2021-08-14T05:40:33.619Z INFO operation/operator.go:259 operation 'operation-install' skipped for fleet-server.7.14.0

2021-08-14T05:40:33.731Z INFO log/reporter.go:40 2021-08-14T05:40:33Z - message: Application: fleet-server--7.14.0: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'

2021-08-14T05:40:33.732Z INFO stateresolver/stateresolver.go:66 Updating internal state

2021-08-14T05:40:34.303Z INFO cmd/enroll_cmd.go:701 Fleet Server - Starting

2021-08-14T05:40:34.750Z ERROR status/reporter.go:236 Elastic Agent status changed to: 'error'

2021-08-14T05:40:34.750Z ERROR log/reporter.go:36 2021-08-14T05:40:34Z - message: Application: fleet-server--7.14.0: State changed to FAILED: Error - x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 - type: 'ERROR' - sub_type: 'FAILED'

2021-08-14T05:40:35.304Z INFO cmd/enroll_cmd.go:701 Fleet Server - Error - x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Error: fleet-server never started by elastic-agent daemon: context cancel

Below is the how I'm generating the certs. I am providing SANs to the cert so this is kinda where I'm confused.

cat > fleet.cnf <<EOF
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
C = US
L = New York City
O = Dev
subjectAltName = @alt_names
IP.1 =
IP.2 =
DNS.1 = elastic
DNS.2 = kibana1

openssl genrsa -out fleet-server-ca.key 2048

openssl req -new -x509 -days 365 -key fleet-server-ca.key -subj "/C=US/ST=NY/L=New York City/O=dev/CN=Fleet-Server-CA" -out fleet-server-ca.crt

openssl req -newkey rsa:2048 -nodes -keyout fleet-server.key -config fleet.cnf -out fleet-server.csr

openssl x509 -req -days 365 -in fleet-server.csr -CA fleet-server-ca.crt -CAkey fleet-server-ca.key -CAcreateserial -out fleet-server.crt

To note I did add the fleet-ca cert to my elasticsearch cert authorites
xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca/elastic-stack-ca.crt","/etc/elasticsearch/certs/ca/fleet-server-ca.crt"]

I also I did follow the fleet secure connection documentation, but it lead to the same outcome. Encrypt traffic in a self-managed cluster | Fleet User Guide [7.14] | Elastic

Any help or suggestion is highly appreciated!

Thanks in advance,

That should be the CA used to communicate and verify the elasticsearch certificate not the Fleet Server certificate. Are you sure you that is the correct file for that?

Hey Blake,
I should have commented earlier but I did notice that and switched it but it didn't work.

However I did find the solution to being to regenerate all the certs as a .p12 first through the elasticsearch-certutil tool

Thanks for the reply!

@morgan.atwood So you have it working?

1 Like

Yes I do, thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.