Greeting,
Running into a problem with setting up the Fleet server.
I have a standalone development server running Kibana, Elasticsearch, and Elastic-agent. Very excited to try out the new agent and security features in 7.14!
When trying to setup the fleet server I run into an error with the certificate being used. Below is command I'm running
sudo elastic-agent enroll --url=https://elastic:8220 \
-f \
--fleet-server-es=https://elastic:9200 \
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2Mjg5MTM1MDYwODY6VFM4N3RvZmlUb3FibkM4ektmQkx3dw \
--fleet-server-policy=7c276ea0-fc59-11eb-811b-21110687356f \
--certificate-authorities=/etc/elastic-agent/certs/ca/fleet-server-ca.crt \
--fleet-server-es-ca=/etc/elastic-agent/certs/fleet-server.crt \
--fleet-server-cert=/etc/elastic-agent/certs/fleet-server.crt \
--fleet-server-cert-key=/etc/elastic-agent/certs/fleet-server.key
Error message below
2021-08-14T05:40:33.300Z INFO cmd/enroll_cmd.go:526 Spawning Elastic Agent daemon as a subprocess to complete bootstrap process.
2021-08-14T05:40:33.435Z INFO application/application.go:66 Detecting execution mode
2021-08-14T05:40:33.435Z INFO application/application.go:87 Agent is in Fleet Server bootstrap mode
2021-08-14T05:40:33.588Z INFO [api] api/server.go:62 Starting stats endpoint
2021-08-14T05:40:33.588Z INFO application/fleet_server_bootstrap.go:124 Agent is starting
2021-08-14T05:40:33.588Z INFO [api] api/server.go:64 Metrics endpoint listening on: /var/lib/elastic-agent/data/tmp/elastic-agent.sock (configured: unix:///var/lib/elastic-agent/data/tmp/elastic-agent.sock)
2021-08-14T05:40:33.588Z INFO application/fleet_server_bootstrap.go:134 Agent is stopped
2021-08-14T05:40:33.590Z INFO stateresolver/stateresolver.go:48 New State ID is 6ljz3EMv
2021-08-14T05:40:33.590Z INFO stateresolver/stateresolver.go:49 Converging state requires execution of 1 step(s)
2021-08-14T05:40:33.619Z INFO operation/operator.go:259 operation 'operation-install' skipped for fleet-server.7.14.0
2021-08-14T05:40:33.731Z INFO log/reporter.go:40 2021-08-14T05:40:33Z - message: Application: fleet-server--7.14.0: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'
2021-08-14T05:40:33.732Z INFO stateresolver/stateresolver.go:66 Updating internal state
2021-08-14T05:40:34.303Z INFO cmd/enroll_cmd.go:701 Fleet Server - Starting
2021-08-14T05:40:34.750Z ERROR status/reporter.go:236 Elastic Agent status changed to: 'error'
2021-08-14T05:40:34.750Z ERROR log/reporter.go:36 2021-08-14T05:40:34Z - message: Application: fleet-server--7.14.0: State changed to FAILED: Error - x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 - type: 'ERROR' - sub_type: 'FAILED'
2021-08-14T05:40:35.304Z INFO cmd/enroll_cmd.go:701 Fleet Server - Error - x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Error: fleet-server never started by elastic-agent daemon: context cancel
Below is the how I'm generating the certs. I am providing SANs to the cert so this is kinda where I'm confused.
cat > fleet.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = US
ST = NY
L = New York City
O = Dev
OU = SIEM
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 172.31.4.162
DNS.1 = elastic
DNS.2 = kibana1
EOF
openssl genrsa -out fleet-server-ca.key 2048
openssl req -new -x509 -days 365 -key fleet-server-ca.key -subj "/C=US/ST=NY/L=New York City/O=dev/CN=Fleet-Server-CA" -out fleet-server-ca.crt
openssl req -newkey rsa:2048 -nodes -keyout fleet-server.key -config fleet.cnf -out fleet-server.csr
openssl x509 -req -days 365 -in fleet-server.csr -CA fleet-server-ca.crt -CAkey fleet-server-ca.key -CAcreateserial -out fleet-server.crt
To note I did add the fleet-ca cert to my elasticsearch cert authorites
xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca/elastic-stack-ca.crt","/etc/elasticsearch/certs/ca/fleet-server-ca.crt"]
I also I did follow the fleet secure connection documentation, but it lead to the same outcome. Encrypt traffic in a self-managed cluster | Fleet and Elastic Agent Guide [7.14] | Elastic
Any help or suggestion is highly appreciated!
Thanks in advance,
Morgan