Fleet unhealthy in GUI + could not setup certificate reloader can not convert 'object' into 'string'

ksmithdafm · March 22, 2024, 3:05pm

Fleet Server unhealthy in GUI and from CLI.

Hello All,

I have been wrestling with adding the fleet server for sometime now. I am running self managed ELK with 3 nodes as follows.

master/data - Also runs kibana
data01
date02

I used the command below to install fleet server. My kibana and elasticsearch install uses the self signed TLS certificates generated by elasticsearch-certutil. fleet certificates where generated by the same tool and use the same CA. This piece actually works. The fleet install also works but does not complete fully.

See the status messages below.

status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'

This sort of message usually means that 'elasticsearch.ssl.certificate' is set up, somewhere, with multiple values and with square brackets [ and ]. This confuses the elastic-agent. The question is where is the certificate set? Which file / location? How can it be changed without breaking other processes that are already using the certificates?

[root@rhoslog01 elastic-agent-9db552]# elastic-agent status
┌─ fleet
│  └─ status: (HEALTHY) Connected
└─ elastic-agent
   ├─ status: (DEGRADED) 1 or more components/units in a failed state
   ├─ beat/metrics-monitoring
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '16899'
   │  ├─ beat/metrics-monitoring
   │  │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
   │  └─ beat/metrics-monitoring-metrics-monitoring-beats
   │     └─ status: (STARTING) Starting
   ├─ filestream-monitoring
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '16888'
   │  ├─ filestream-monitoring
   │  │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
   │  └─ filestream-monitoring-filestream-monitoring-agent
   │     └─ status: (STARTING) Starting
   └─ http/metrics-monitoring
      ├─ status: (HEALTHY) Healthy: communicating with pid '16876'
      ├─ http/metrics-monitoring
      │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
      └─ http/metrics-monitoring-metrics-monitoring-agent
         └─ status: (STARTING) Starting
[root@rhoslog01 elastic-agent-9db552]#

Below is my install command for fleet server

./elastic-agent install --url=https://XXXXlog01.DOMAIN1.HHH.CC:8220 --fleet-server-es=https://XXXXlog01.DOMAIN1.HHH.CC:9200 --fleet-server-service-token=CHANGEDCHANGEDaWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MTEwMzkzMjI2MDg6SnlfSVJoUm1TZ1dILWVoc1dhM0lEZw --fleet-server-policy=fleet-server-policy --fleet-server-es-ca=/etc/elasticsearch/certs/elastic-stack-ca.crt  --fleet-server-cert=/etc/elasticsearch/certs/fleet-server/fleet-server.crt --fleet-server-cert-key=/etc/elasticsearch/certs/fleet-server/fleet-server.key --certificate-authorities=/etc/elasticsearch/certs/elastic-stack-ca.crt --fleet-server-port=8220 --fleet-server-host=XXXXlog01.DOMAIN1.HHH.CC

I have changed the hostnames and the service-token but they are normal / correct when I run the command. To be clear I am just doing the install on my master node.

I can curl to the fleet server url, kibana url and the elasticsearch url from that server.

 curl -kv https://rhoslog01.agriculture.gov.ie:9200
* Rebuilt URL to: https://rhoslog01.agriculture.gov.ie:9200/
* Uses proxy env variable no_proxy == '.agriculture.gov.ie,10.0.0.1,10.0.0.2,10.0.0.3,.cluster.local,.svc,localhost,127.0.0.1,172.30.0.1'
*   Trying 10.2.134.121...
* TCP_NODELAY set
* Connected to rhoslog01.agriculture.gov.ie (10.2.134.121) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=master-01
*  start date: Oct 25 12:56:22 2022 GMT
*  expire date: Oct 24 12:56:22 2025 GMT
*  issuer: CN=Elastic Certificate Tool Autogenerated CA
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: rhoslog01.agriculture.gov.ie:9200
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="security" charset="UTF-8"
< WWW-Authenticate: Bearer realm="security"
< WWW-Authenticate: ApiKey
< content-type: application/json
< content-length: 459
<
* Connection #0 to host rhoslog01.agriculture.gov.ie left intact
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}[root@rhoslog01 elastic-agent-9db552]

curl -kv https://rhoslog01.agriculture.gov.ie:8220
* Rebuilt URL to: https://rhoslog01.agriculture.gov.ie:8220/
* Uses proxy env variable no_proxy == '.agriculture.gov.ie,10.0.0.1,10.0.0.2,10.0.0.3,.cluster.local,.svc,localhost,127.0.0.1,172.30.0.1'
*   Trying 10.2.134.121...
* TCP_NODELAY set
* Connected to rhoslog01.agriculture.gov.ie (10.2.134.121) port 8220 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=fleet-server
*  start date: Mar 12 14:54:58 2024 GMT
*  expire date: Mar 12 14:54:58 2027 GMT
*  issuer: CN=Elastic Certificate Tool Autogenerated CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55cf124726d0)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/2
> Host: rhoslog01.agriculture.gov.ie:8220
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 404
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< x-request-id: 7c83296b-3f8c-419f-9011-ea36e8046f58
< content-length: 19
< date: Fri, 22 Mar 2024 14:41:47 GMT
<
* TLSv1.3 (IN), TLS app data, [no content] (0):
404 page not found
* Connection #0 to host rhoslog01.agriculture.gov.ie left intact
[root@rhoslog01 elastic-agent-9db552]#

curl -kv http://rhoslog01.agriculture.gov.ie:5601
* Rebuilt URL to: http://rhoslog01.agriculture.gov.ie:5601/
* Uses proxy env variable no_proxy == '.agriculture.gov.ie,10.0.0.1,10.0.0.2,10.0.0.3,.cluster.local,.svc,localhost,127.0.0.1,172.30.0.1'
*   Trying 10.2.134.121...
* TCP_NODELAY set
* Connected to rhoslog01.agriculture.gov.ie (10.2.134.121) port 5601 (#0)
> GET / HTTP/1.1
> Host: rhoslog01.agriculture.gov.ie:5601
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 302 Found
< location: /login?next=%2F
< x-content-type-options: nosniff
< referrer-policy: no-referrer-when-downgrade
< permissions-policy: camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()
< cross-origin-opener-policy: same-origin
< content-security-policy: script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'
< kbn-name: kibana
< kbn-license-sig: f0013dee1fb80e542679f4d77da090bb67f855801d3f263ec6cf88a4c439ed7d
< cache-control: private, no-cache, no-store, must-revalidate
< content-length: 0
< Date: Fri, 22 Mar 2024 14:42:30 GMT
< Connection: keep-alive
< Keep-Alive: timeout=120
<
* Connection #0 to host rhoslog01.agriculture.gov.ie left intact

So my question is what certificates do the fleet components / elastic-agent use that cannot connect due to "unpacking 'ssl' config: can not convert 'object' into 'string'" problem above?

Is it in /etc/kibana/kibana.yml, /etc/elasticsearch/elasticsearch.yml or in the various yml files in /opt/Elastic/Agent/data/elastic-agent-9db552/components ?

Below is results of elastic-agent inspect command.

Any help much appreciated.

If I have not made anything clear please ask me to provided more details.

Best Regards,

Kevin.

elastic-agent inspect
agent:
  download:
    sourceURI: https://artifacts.elastic.co/downloads/
  features: null
  id: e9599bf7-a5ac-4b2a-94ad-4c9a3c481963
  monitoring:
    enabled: true
    http:
      buffer: null
      enabled: false
      host: localhost
      port: 6791
    logs: true
    metrics: true
    namespace: default
    use_output: default
  protection:
    enabled: false
    signing_key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhmDF64wHjP4cbXoCNwkl16IoGlJ5GFS9mDVvQJp/VMyiLqkkDznz7f4srOpPzpBKSBxgPbifuBXM5iPdto7ZwA==
    uninstall_token_hash: DZPSZoOK9j7xUqKsdRQ0XYLpFDtO02Y3d+Pa1cwcobE=
fleet:
  access_api_key: VTZYa1lZNEJrUVFpQ1Qtazd4RGs6OUR0T3FsN2dSUnFwVFQxS2lVaDFodw==
  agent:
    id: ""
  enabled: true
  host: localhost:8221
  hosts:
  - https://10.2.134.121:8220
  protocol: https
  proxy_disable: true
  server:
    host: rhoslog01.agriculture.gov.ie
    internal_port: 8221
    output:
      elasticsearch:
        hosts:
        - rhoslog01.agriculture.gov.ie:9200
        protocol: https
        proxy_disable: false
        proxy_headers: null
        service_token: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MTEwMzkzMjI2MDg6SnlfSVJoUm1TZ1dILWVoc1dhM0lEZw
        ssl:
          certificate_authorities:
          - /etc/elasticsearch/certs/elastic-stack-ca.crt
          renegotiation: never
          verification_mode: full
    policy:
      id: fleet-server-policy
    port: 8220
    ssl:
      certificate: /etc/elasticsearch/certs/fleet-server/fleet-server.crt
      key: /etc/elasticsearch/certs/fleet-server/fleet-server.key
      renegotiation: never
      verification_mode: full
  ssl:
    certificate_authorities:
    - /etc/elasticsearch/certs/elastic-stack-ca.crt
    renegotiation: never
    verification_mode: certificate
  timeout: 10m0s
host:
  id: c6388f19030e4777b74d2994b30f03da
id: fleet-server-policy
inputs:
- data_stream:
    namespace: default
  id: fleet-server-fleet_server-355fc92f-6a7b-444e-a10a-7d4027da7362
  meta:
    package:
      name: fleet_server
      version: 1.5.0
  name: fleet_server-1
  package_policy_id: 355fc92f-6a7b-444e-a10a-7d4027da7362
  revision: 1
  type: fleet-server
  unused_key: not_used
  use_output: default
output_permissions:
  default:
    _elastic_agent_checks:
      cluster:
      - monitor
    _elastic_agent_monitoring:
      indices:
      - names:
        - logs-elastic_agent.apm_server-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.apm_server-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.auditbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.auditbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.cloud_defend-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.cloudbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.cloudbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.elastic_agent-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.endpoint_security-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.endpoint_security-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.filebeat_input-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.filebeat_input-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.filebeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.filebeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.fleet_server-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.fleet_server-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.heartbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.heartbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.metricbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.metricbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.osquerybeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.osquerybeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.packetbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - metrics-elastic_agent.packetbeat-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.pf_elastic_collector-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.pf_elastic_symbolizer-default
        privileges:
        - auto_configure
        - create_doc
      - names:
        - logs-elastic_agent.pf_host_agent-default
        privileges:
        - auto_configure
        - create_doc
    355fc92f-6a7b-444e-a10a-7d4027da7362:
      indices: []
outputs:
  default:
    api_key: fqXkYY4BkQQiCT-k-xTq:6GNCvGAbTRqapPadVZpOvg
    hosts:
    - https://10.2.134.121:9200
    - https://10.2.134.122:9200
    - https://10.2.134.123:9200
    preset: balanced
    ssl:
      ca_trusted_fingerprint: CBEA99D8A59F39F21FBEAA1BD3B2334D620EB408
      certificate:
        authorities:
        - |
          -----BEGIN CERTIFICATE-----
          MIIDSjCCAjKgAwIBAgIVANEFkHTzX9WraDrfYzs/1/Thg9PYMA0GCSqGSIb3DQEB
          CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
          ZXJhdGVkIENBMB4XDTIyMTAyNTEyNTUyMFoXDTI1MTAyNDEyNTUyMFowNDEyMDAG
          A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
          ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1ypwRYxBldW++hahcCwG
          4oYf/4POg752WmCysQ8RhjJhacp+0bQNTk7RT3Nr2gIu+kGNVU76oDthLtAFg3d/
          R4v1GOjfLlUfykJJ8exhGX4hRKAk5dpu/CCuqzGkvCCaezqJCxNnZ8rkWGVcZKC/
          a8gzGXZE9uEtDTAWiognXKigeRLoMFu75pHUOUyb2tFOA+GPbmv05EwKbfKMcPF0
          qKMSmdRwCCy03lBFbLt52IzXK78xNKyUFT2tWyci/jZbBoeJtd+ypTPh8o8Nz9mg
          1vnadhm5uQAl4Rp4iidSUKBdE0FKSd4VlCr2BcvyzvVH/xUF6f8pzN1j0NEiSBF9
          AgMBAAGjUzBRMB0GA1UdDgQWBBSNvM4HrTqqZn6cQsBmPbx28shbOzAfBgNVHSME
          GDAWgBSNvM4HrTqqZn6cQsBmPbx28shbOzAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
          SIb3DQEBCwUAA4IBAQAMD1aL638RkwHMErmfVwxYuakI7VawDZCInS7FEIT+RbhA
          XYmODAt1tvRqkVr5+LkBsHsufl/9ZOn8To3/tlW6QQlNixc/B6e5tirrFN5dbfT9
          za/tc/34nkzWcdPJ/tJKmelEATZlezzOyR87pXVMLUTZeNOULtLLOTOxhqJGeAof
          mQp0eey8BjcvV3j2N9NWA7tE0B4iVm/pR4EtnOpsUrW6VjkHJRVbKaqO+ul9lI11
          XYkRQJ4G+h0fqV7qdcqLRzuqmnwUun7K3KdLdY7BuLuJbB947rtpZ9ZrcDMI9wY2
          wEwJmstrO3CC9rK3pN1O64xFGxWzMFHC3xqsT1YW
          -----END CERTIFICATE-----
    type: elasticsearch
path:
  config: /opt/Elastic/Agent
  data: /opt/Elastic/Agent/data
  home: /opt/Elastic/Agent/data/elastic-agent-9db552
  logs: /opt/Elastic/Agent
revision: 134
runtime:
  arch: amd64
  os: linux
  osinfo:
    family: redhat
    major: 8
    minor: 8
    patch: 0
    type: linux
    version: 8.8 (Ootpa)
signed:
  data: eyJpZCI6ImZsZWV0LXNlcnZlci1wb2xpY3kiLCJhZ2VudCI6eyJmZWF0dXJlcyI6e30sInByb3RlY3Rpb24iOnsiZW5hYmxlZCI6ZmFsc2UsInVuaW5zdGFsbF90b2tlbl9oYXNoIjoiRFpQU1pvT0s5ajd4VXFLc2RSUTBYWUxwRkR0TzAyWTNkK1BhMWN3Y29iRT0iLCJzaWduaW5nX2tleSI6Ik1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWhtREY2NHdIalA0Y2JYb0NOd2tsMTZJb0dsSjVHRlM5bURWdlFKcC9WTXlpTHFra0R6bno3ZjRzck9wUHpwQktTQnhnUGJpZnVCWE01aVBkdG83WndBPT0ifX0sImlucHV0cyI6W3siaWQiOiJmbGVldC1zZXJ2ZXItZmxlZXRfc2VydmVyLTM1NWZjOTJmLTZhN2ItNDQ0ZS1hMTBhLTdkNDAyN2RhNzM2MiIsIm5hbWUiOiJmbGVldF9zZXJ2ZXItMSIsInJldmlzaW9uIjoxLCJ0eXBlIjoiZmxlZXQtc2VydmVyIn1dfQ==
  signature: MEQCIFTmAm/yOmRPW8HV/2iMfkYihW5zL7kPWWp9IQZzxxICAiAa8Fl5BMa95H7JbiFh3r/XEG+xFBZrvcl23117AY2KzA==
[root@rhoslog01 components]#

ksmithdafm · March 22, 2024, 3:08pm

more /etc/elasticsearch/elasticsearch.yml

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: es-logging
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: master-01
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /var/lib/elasticsearch
path.data: ["/var/lib/elasticsearch", "/var/lib/elasticsearch2"]
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# Path to NFS server for snapshots. The NFS Server is rhosnwstorage/ The shared directory is /u01/elasticsearch-backups
#
path.repo: /mnt/es-nfs-backup
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: [_local_, _site_]
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["10.2.134.121", "10.2.134.122", "10.2.134.123"]
#discovery.seed_hosts: ["10.2.134.121"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
# Take care with this setting once cluster is set-up. It can lead to split brain cluster.
# Key reason if it has a single entry and that node does not see other nodes the
# node may decide it needs to initialize a new blank cluster.
#
#cluster.initial_master_nodes: ["master-01"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# --------------------------------- Readiness ----------------------------------
#
# Enable an unauthenticated TCP readiness endpoint on localhost
#
#readiness.port: 9399
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically
# generated to configure Elasticsearch security features on 07-10-2022 14:34:22
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# This nodes ca is here -> /etc/elasticsearch/certs/elastic-stack-ca.p12
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  verification_mode: full
  keystore.path: certs/master-01.p12
  truststore.path: certs/master-01.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: full
  keystore.path: certs/master-01.p12
  truststore.path: certs/master-01.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
# cluster.initial_master_nodes: ["rhoslog01.agriculture.gov.ie"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

#------------------------------ START NODE ROLES -----------------------------------

# Node Roles

node.roles: [master, data, ingest, transform]
#node.roles: ["data"]
#node.data: true
#node.ingest: true
#node.ml: false

#------------------------------ END NODE ROLES -----------------------------------
[root@rhoslog01 components]#

ksmithdafm · March 22, 2024, 3:42pm

ksmithdafm · March 22, 2024, 5:01pm

more /etc/kibana/kibana.yml

# For more configuration options see the configuration guide for Kibana in
# https://www.elastic.co/guide/index.html

# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
#server.port: 8080

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"
server.host: "10.2.134.121"

# Enterprise Search instance

enterpriseSearch.host: 'http://localhost:3002'

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# Defaults to `false`.
#server.rewriteBasePath: false

# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""
# the production wildcard DNS is *.apps.services.agriculture.gov.ie
# https://*.apps.services.agriculture.gov.ie/
#server.publicBaseUrl: "http://kibana-external.apps.services.agriculture.gov.ie/"
#server.publicBaseUrl: "http://rhoslog01.apps.services.agriculture.gov.ie/"
server.publicBaseUrl: "http://rhoslog01.agriculture.gov.ie/"

# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576

# The Kibana server's name. This is used for display purposes.
server.name: "kibana"

# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: false
#server.ssl.enabled: true
#server.ssl.certificate: /etc/kibana/kibana.crt
#server.ssl.key: /etc/kibana/kibana.key

# =================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://localhost:9200"]

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "r0gl-LEVbtMNZS+624Bx"

# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# The maximum number of sockets that can be used for communications with elasticsearch.
# Defaults to `Infinity`.
#elasticsearch.maxSockets: 1024

# Specifies whether Kibana should use compression for communications with elasticsearch
# Defaults to `false`.
#elasticsearch.compression: false

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# =================== System: Elasticsearch (Optional) ===================
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# kibana is behind a proxy so need to tell it so it can download from elasticsearch
# From here https://discuss.elastic.co/t/error-plugins-fleet-failed-to-fetch-latest-version/335115 and
# here https://www.elastic.co/guide/en/kibana/current/fleet-settings-kb.html

xpack.fleet.registryProxyUrl: http://vsdbahlprxy1:8080

# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
elasticsearch.ssl.verificationMode: none
# default is full but cannot use for now as using self signed certificate
#elasticsearch.ssl.verificationMode: full

# =================== System: Logging ===================
# Set the value of this setting to off to suppress all logging output, or to debug to log everything. Defaults to 'info'
#logging.root.level: debug

# Enables you to specify a file where Kibana stores log output.
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
#  layout:
#    type: json

# Logs queries sent to Elasticsearch.
#logging.loggers:
#  - name: elasticsearch.query
#    level: debug

# Logs http responses.
#logging.loggers:
#  - name: http.server.response
#    level: debug

# Logs system usage information.
#logging.loggers:
#  - name: metrics.ops
#    level: debug

# =================== System: Other ===================
# The path where Kibana stores persistent data not saved in Elasticsearch. Defaults to data
#path.data: data

# Specifies the path where Kibana creates the process ID file.
pid.file: /run/kibana/kibana.pid

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000ms.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".
#i18n.locale: "en"

# =================== Frequently used (Optional)===================

# =================== Saved Objects: Migrations ===================
# Saved object migrations run at startup. If you run into migration-related issues, you might need to adjust these settings.

# The number of documents migrated at a time.
# If Kibana can't start up or upgrade due to an Elasticsearch `circuit_breaking_exception`,
# use a smaller batchSize value to reduce the memory pressure. Defaults to 1000 objects per batch.
#migrations.batchSize: 1000

# The maximum payload size for indexing batches of upgraded saved objects.
# To avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch.
# This value should be lower than or equal to your Elasticsearch cluster’s `http.max_content_length`
# configuration option. Default: 100mb
#migrations.maxBatchSizeBytes: 100mb

# The number of times to retry temporary migration failures. Increase the setting
# if migrations fail frequently with a message such as `Unable to complete the [...] step after
# 15 attempts, terminating`. Defaults to 15
#migrations.retryAttempts: 15

# =================== Search Autocomplete ===================
# Time in milliseconds to wait for autocomplete suggestions from Elasticsearch.
# This value must be a whole number greater than zero. Defaults to 1000ms
#unifiedSearch.autocomplete.valueSuggestions.timeout: 1000

# Maximum number of documents loaded by each shard to generate autocomplete suggestions.
# This value must be a whole number greater than zero. Defaults to 100_000
#unifiedSearch.autocomplete.valueSuggestions.terminateAfter: 100000

Julia_Bardi · March 25, 2024, 1:35pm

Hi Kevin, welcome to the community!

What is the output of View policy action on the UI when you click on Fleet Server Policy?

ksmithdafm · March 25, 2024, 2:29pm

Hi Julia,

First thanks very much for your response. Currently the policy is as shown below.

I removed the "system" part in the hope that it would make things work.

Any hints/clues much appreciated. Please let me know if you need any more information.

Best REgards,

Kevin.

Fleet Server Policy - Agent policies - Fleet - Elastic
^/

Use the Up and Down arrow keys to move focus over options. Press Enter to select. Press Escape to collapse options.

    Fleet
    Agent policies
    Fleet Server Policy

View all agent policies
Fleet Server Policy
Fleet Server policy generated by Kibana

Revision
    5

Integrations
    1

Agents
    1 agent

Last updated on
    Mar 22, 2024

Integrations
Settings
This table contains 1 rows.
Namespace	Actions
fleet_server-1
	
Fleet Server
v1.5.0
	
default
	

You are in a modal dialog. Press Escape or tap/click outside the dialog on the shadowed overlay to close. You can still continue tabbing through the page headers in addition to the dialog.
'Fleet Server Policy' agent policy

id: fleet-server-policy
revision: 5
outputs:
  default:
    type: elasticsearch
    hosts:
      - 'https://rhoslog01.agriculture.gov.ie:9200'
    preset: balanced
fleet:
  hosts:
    - 'https://rhoslog01.agriculture.gov.ie:8220'
output_permissions:
  default:
    _elastic_agent_monitoring:
      indices:
        - names:
            - logs-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloud_defend-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_collector-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_symbolizer-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_host_agent-default
          privileges:
            - auto_configure
            - create_doc
    _elastic_agent_checks:
      cluster:
        - monitor
    5a9c672b-97a9-41b8-ac8a-d6cf65f27829:
      indices: []
agent:
  download:
    sourceURI: 'https://artifacts.elastic.co/downloads/'
  monitoring:
    enabled: true
    use_output: default
    namespace: default
    logs: true
    metrics: true
  features: {}
  protection:
    enabled: false
    uninstall_token_hash: DZPSZoOK9j7xUqKsdRQ0XYLpFDtO02Y3d+Pa1cwcobE=
    signing_key: >-
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhmDF64wHjP4cbXoCNwkl16IoGlJ5GFS9mDVvQJp/VMyiLqkkDznz7f4srOpPzpBKSBxgPbifuBXM5iPdto7ZwA==
inputs:
  - id: fleet-server-fleet_server-5a9c672b-97a9-41b8-ac8a-d6cf65f27829
    name: fleet_server-1
    revision: 1
    type: fleet-server
    use_output: default
    meta:
      package:
        name: fleet_server
        version: 1.5.0
    data_stream:
      namespace: default
    package_policy_id: 5a9c672b-97a9-41b8-ac8a-d6cf65f27829
    unused_key: not_used
signed:
  data: >-
    eyJpZCI6ImZsZWV0LXNlcnZlci1wb2xpY3kiLCJhZ2VudCI6eyJmZWF0dXJlcyI6e30sInByb3RlY3Rpb24iOnsiZW5hYmxlZCI6ZmFsc2UsInVuaW5zdGFsbF90b2tlbl9oYXNoIjoiRFpQU1pvT0s5ajd4VXFLc2RSUTBYWUxwRkR0TzAyWTNkK1BhMWN3Y29iRT0iLCJzaWduaW5nX2tleSI6Ik1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWhtREY2NHdIalA0Y2JYb0NOd2tsMTZJb0dsSjVHRlM5bURWdlFKcC9WTXlpTHFra0R6bno3ZjRzck9wUHpwQktTQnhnUGJpZnVCWE01aVBkdG83WndBPT0ifX0sImlucHV0cyI6W3siaWQiOiJmbGVldC1zZXJ2ZXItZmxlZXRfc2VydmVyLTVhOWM2NzJiLTk3YTktNDFiOC1hYzhhLWQ2Y2Y2NWYyNzgyOSIsIm5hbWUiOiJmbGVldF9zZXJ2ZXItMSIsInJldmlzaW9uIjoxLCJ0eXBlIjoiZmxlZXQtc2VydmVyIn1dfQ==
  signature: >-
    MEQCIAqarIoET6aZDATLbRVyuBOZv+ioSYR6aw8TOosmr3r2AiANXlSjqLGrBHOdfF3GIG2Ym4hNr+nfN02btfo+En5cUQ==
secret_references: []

ksmithdafm · March 25, 2024, 2:49pm

Hi Julia,

Just in case it makes any difference I have completely re-installed the fleet server. I also deleted the policy and recreated it. See the yaml below.

Unfortunately the fleet server now says this when I check its status.

 elastic-agent status
┌─ fleet
│  └─ status: (FAILED) fail to checkin to fleet-server: all hosts failed: 1 error occurred:
│         * requester 0/1 to host https://localhost:8221/ errored: Post "https://localhost:8221/api/fleet/agents/59b04f6b-4744-4a28-b1b5-8fd4e083a19b/checkin?": dial tcp 127.0.0.1:8221: connect: connection refused
│
│
└─ elastic-agent
   ├─ status: (DEGRADED) 1 or more components/units in a failed state
   ├─ beat/metrics-monitoring
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '55491'
   │  ├─ beat/metrics-monitoring
   │  │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
   │  └─ beat/metrics-monitoring-metrics-monitoring-beats
   │     └─ status: (STARTING) Starting
   ├─ filestream-monitoring
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '55477'
   │  ├─ filestream-monitoring
   │  │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
   │  └─ filestream-monitoring-filestream-monitoring-agent
   │     └─ status: (STARTING) Starting
   ├─ fleet-server-default
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '55440'
   │  ├─ fleet-server-default
   │  │  └─ status: (FAILED) can not convert 'object' into 'string' accessing 'output.elasticsearch.ssl.certificate'
   │  └─ fleet-server-default-fleet-server-fleet_server-355fc92f-6a7b-444e-a10a-7d4027da7362
   │     └─ status: (FAILED) can not convert 'object' into 'string' accessing 'output.elasticsearch.ssl.certificate'
   └─ http/metrics-monitoring
      ├─ status: (HEALTHY) Healthy: communicating with pid '55503'
      ├─ http/metrics-monitoring
      │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
      └─ http/metrics-monitoring-metrics-monitoring-agent
         └─ status: (STARTING) Starting

This was my install command

./elastic-agent install --url=https://rhoslog01.agriculture.gov.ie:8220 --fleet-server-es=https://rhoslog01.agriculture.gov.ie:9200 --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MTEzNzcwNzg4MjQ6M1NMcV96VGZSdC1vU00xUkRvd1lLZw --fleet-server-policy=fleet-server-policy --fleet-server-es-ca=/etc/elasticsearch/certs/elastic-stack-ca.crt  --fleet-server-cert=/etc/elasticsearch/certs/fleet-server/fleet-server.crt --fleet-server-cert-key=/etc/elasticsearch/certs/fleet-server/fleet-server.key --certificate-authorities=/etc/elasticsearch/certs/elastic-stack-ca.crt --fleet-server-port=8220 --fleet-server-host=rhoslog01.agriculture.gov.ie

The new fleet-server-policy

id: fleet-server-policy
revision: 1
outputs:
  default:
    type: elasticsearch
    hosts:
      - 'https://rhoslog01.agriculture.gov.ie:9200'
    preset: balanced
fleet:
  hosts:
    - 'https://rhoslog01.agriculture.gov.ie:8220'
output_permissions:
  default:
    _elastic_agent_monitoring:
      indices:
        - names:
            - logs-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloud_defend-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_collector-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_symbolizer-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_host_agent-default
          privileges:
            - auto_configure
            - create_doc
    _elastic_agent_checks:
      cluster:
        - monitor
    d18ff72d-49dc-485c-899a-ead4bd942dad:
      indices: []
    3966f512-d768-40b7-b6ad-e42f0a656c59:
      indices:
        - names:
            - logs-system.auth-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-system.syslog-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-system.application-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-system.security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-system.system-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.cpu-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.diskio-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.filesystem-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.fsstat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.load-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.memory-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.network-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.process-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.process.summary-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.socket_summary-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-system.uptime-default
          privileges:
            - auto_configure
            - create_doc
agent:
  download:
    sourceURI: 'https://artifacts.elastic.co/downloads/'
  monitoring:
    enabled: true
    use_output: default
    namespace: default
    logs: true
    metrics: true
  features: {}
  protection:
    enabled: false
    uninstall_token_hash: DZPSZoOK9j7xUqKsdRQ0XYLpFDtO02Y3d+Pa1cwcobE=
    signing_key: >-
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhmDF64wHjP4cbXoCNwkl16IoGlJ5GFS9mDVvQJp/VMyiLqkkDznz7f4srOpPzpBKSBxgPbifuBXM5iPdto7ZwA==
inputs:
  - id: fleet-server-fleet_server-d18ff72d-49dc-485c-899a-ead4bd942dad
    name: fleet_server-1
    revision: 1
    type: fleet-server
    use_output: default
    meta:
      package:
        name: fleet_server
        version: 1.5.0
    data_stream:
      namespace: default
    package_policy_id: d18ff72d-49dc-485c-899a-ead4bd942dad
    unused_key: not_used
  - id: logfile-system-3966f512-d768-40b7-b6ad-e42f0a656c59
    name: system-1
    revision: 1
    type: logfile
    use_output: default
    meta:
      package:
        name: system
        version: 1.54.0
    data_stream:
      namespace: default
    package_policy_id: 3966f512-d768-40b7-b6ad-e42f0a656c59
    streams:
      - id: logfile-system.auth-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.auth
          type: logs
        ignore_older: 72h
        paths:
          - /var/log/auth.log*
          - /var/log/secure*
        exclude_files:
          - \.gz$
        multiline:
          pattern: ^\s
          match: after
        tags:
          - system-auth
        processors:
          - add_locale: null
          - rename:
              fields:
                - from: message
                  to: event.original
              ignore_missing: true
              fail_on_error: false
          - syslog:
              field: event.original
              ignore_missing: true
              ignore_failure: true
      - id: logfile-system.syslog-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.syslog
          type: logs
        paths:
          - /var/log/messages*
          - /var/log/syslog*
          - /var/log/system*
        exclude_files:
          - \.gz$
        multiline:
          pattern: ^\s
          match: after
        processors:
          - add_locale: null
        tags: null
        ignore_older: 72h
  - id: winlog-system-3966f512-d768-40b7-b6ad-e42f0a656c59
    name: system-1
    revision: 1
    type: winlog
    use_output: default
    meta:
      package:
        name: system
        version: 1.54.0
    data_stream:
      namespace: default
    package_policy_id: 3966f512-d768-40b7-b6ad-e42f0a656c59
    streams:
      - id: winlog-system.application-3966f512-d768-40b7-b6ad-e42f0a656c59
        name: Application
        data_stream:
          dataset: system.application
          type: logs
        condition: '${host.platform} == ''windows'''
        ignore_older: 72h
      - id: winlog-system.security-3966f512-d768-40b7-b6ad-e42f0a656c59
        name: Security
        data_stream:
          dataset: system.security
          type: logs
        condition: '${host.platform} == ''windows'''
        ignore_older: 72h
      - id: winlog-system.system-3966f512-d768-40b7-b6ad-e42f0a656c59
        name: System
        data_stream:
          dataset: system.system
          type: logs
        condition: '${host.platform} == ''windows'''
        ignore_older: 72h
  - id: system/metrics-system-3966f512-d768-40b7-b6ad-e42f0a656c59
    name: system-1
    revision: 1
    type: system/metrics
    use_output: default
    meta:
      package:
        name: system
        version: 1.54.0
    data_stream:
      namespace: default
    package_policy_id: 3966f512-d768-40b7-b6ad-e42f0a656c59
    streams:
      - id: system/metrics-system.cpu-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.cpu
          type: metrics
        metricsets:
          - cpu
        cpu.metrics:
          - percentages
          - normalized_percentages
        period: 10s
      - id: system/metrics-system.diskio-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.diskio
          type: metrics
        metricsets:
          - diskio
        diskio.include_devices: null
        period: 10s
      - id: system/metrics-system.filesystem-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.filesystem
          type: metrics
        metricsets:
          - filesystem
        period: 1m
        processors:
          - drop_event.when.regexp:
              system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
      - id: system/metrics-system.fsstat-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.fsstat
          type: metrics
        metricsets:
          - fsstat
        period: 1m
        processors:
          - drop_event.when.regexp:
              system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
      - id: system/metrics-system.load-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.load
          type: metrics
        metricsets:
          - load
        condition: '${host.platform} != ''windows'''
        period: 10s
      - id: system/metrics-system.memory-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.memory
          type: metrics
        metricsets:
          - memory
        period: 10s
      - id: system/metrics-system.network-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.network
          type: metrics
        metricsets:
          - network
        period: 10s
        network.interfaces: null
      - id: system/metrics-system.process-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.process
          type: metrics
        metricsets:
          - process
        period: 10s
        process.include_top_n.by_cpu: 5
        process.include_top_n.by_memory: 5
        process.cmdline.cache.enabled: true
        process.cgroups.enabled: false
        process.include_cpu_ticks: false
        processes:
          - .*
      - id: >-
          system/metrics-system.process.summary-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.process.summary
          type: metrics
        metricsets:
          - process_summary
        period: 10s
      - id: >-
          system/metrics-system.socket_summary-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.socket_summary
          type: metrics
        metricsets:
          - socket_summary
        period: 10s
      - id: system/metrics-system.uptime-3966f512-d768-40b7-b6ad-e42f0a656c59
        data_stream:
          dataset: system.uptime
          type: metrics
        metricsets:
          - uptime
        period: 10s
signed:
  data: >-
    eyJpZCI6ImZsZWV0LXNlcnZlci1wb2xpY3kiLCJhZ2VudCI6eyJmZWF0dXJlcyI6e30sInByb3RlY3Rpb24iOnsiZW5hYmxlZCI6ZmFsc2UsInVuaW5zdGFsbF90b2tlbl9oYXNoIjoiRFpQU1pvT0s5ajd4VXFLc2RSUTBYWUxwRkR0TzAyWTNkK1BhMWN3Y29iRT0iLCJzaWduaW5nX2tleSI6Ik1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWhtREY2NHdIalA0Y2JYb0NOd2tsMTZJb0dsSjVHRlM5bURWdlFKcC9WTXlpTHFra0R6bno3ZjRzck9wUHpwQktTQnhnUGJpZnVCWE01aVBkdG83WndBPT0ifX0sImlucHV0cyI6W3siaWQiOiJmbGVldC1zZXJ2ZXItZmxlZXRfc2VydmVyLWQxOGZmNzJkLTQ5ZGMtNDg1Yy04OTlhLWVhZDRiZDk0MmRhZCIsIm5hbWUiOiJmbGVldF9zZXJ2ZXItMSIsInJldmlzaW9uIjoxLCJ0eXBlIjoiZmxlZXQtc2VydmVyIn0seyJpZCI6ImxvZ2ZpbGUtc3lzdGVtLTM5NjZmNTEyLWQ3NjgtNDBiNy1iNmFkLWU0MmYwYTY1NmM1OSIsIm5hbWUiOiJzeXN0ZW0tMSIsInJldmlzaW9uIjoxLCJ0eXBlIjoibG9nZmlsZSJ9LHsiaWQiOiJ3aW5sb2ctc3lzdGVtLTM5NjZmNTEyLWQ3NjgtNDBiNy1iNmFkLWU0MmYwYTY1NmM1OSIsIm5hbWUiOiJzeXN0ZW0tMSIsInJldmlzaW9uIjoxLCJ0eXBlIjoid2lubG9nIn0seyJpZCI6InN5c3RlbS9tZXRyaWNzLXN5c3RlbS0zOTY2ZjUxMi1kNzY4LTQwYjctYjZhZC1lNDJmMGE2NTZjNTkiLCJuYW1lIjoic3lzdGVtLTEiLCJyZXZpc2lvbiI6MSwidHlwZSI6InN5c3RlbS9tZXRyaWNzIn1dfQ==
  signature: >-
    MEUCIQCrXVYfYplTJ5DF2OVvLpiytPsRQ6UaQ9Dyt62sZy6t9AIgK7vii5mpB5jGpMTle+WrtIp5atk+JEw2HHvg6K/TrQA=
secret_references: []

Any help/guidance much appreciated,

Kevin.

Julia_Bardi · March 25, 2024, 3:27pm

Thanks, it seems that the ssl cert options are not in the agent policy. If you do an elastic-agent diagnostics collect, do you find the elasticsearch.ssl.certificate option configured anywhere?

Julia_Bardi · March 25, 2024, 3:54pm

I found a similar issue with standalone agent discussed here, not sure if it helps: [Self-Managed]: No data for Standalone agent available when configured with logstash output · Issue #3959 · elastic/elastic-agent · GitHub

ksmithdafm · March 25, 2024, 4:01pm

Hi Julia,

In the diagnostics directory I did the following find.

[root@rhoslog01 diagnostics]# find ./ -type f ( -iname *.yml ) | xargs grep certificate

find ./ -type f \( -iname \*.* \) | xargs grep certificate
./local-config.yaml:                    certificate_authorities:
./local-config.yaml:            certificate: <REDACTED>
./local-config.yaml:        certificate_authorities:
./local-config.yaml:        verification_mode: certificate
./pre-config.yaml:            certificate:
./computed-config.yaml:            certificate:
./components-expected.yaml:                                                    certificate:
./components-expected.yaml:                                    certificate:
./components-expected.yaml:                                    certificate_authorities:
./components-expected.yaml:                                    certificate:
./components-expected.yaml:                                    certificate:
./components-expected.yaml:                                    certificate:
./components-actual.yaml:                                                    certificate:
./components-actual.yaml:                                    certificate:
./components-actual.yaml:                                    certificate_authorities:
./components-actual.yaml:                                    certificate:
./components-actual.yaml:                                    certificate:
./components-actual.yaml:                                    certificate:
./state.yaml:                message: can not convert 'object' into 'string' accessing 'output.elasticsearch.ssl.certificate'
./state.yaml:                message: can not convert 'object' into 'string' accessing 'output.elasticsearch.ssl.certificate'
./state.yaml:                message: 'could not start output: failed to reload output: could not setup output certificates reloader: unpacking ''ssl'' config: can not convert ''object'' into ''string'' accessing ''elasticsearch.ssl.certificate'''
./state.yaml:                message: 'could not start output: failed to reload output: could not setup output certificates reloader: unpacking ''ssl'' config: can not convert ''object'' into ''string'' accessing ''elasticsearch.ssl.certificate'''
./state.yaml:                message: 'could not start output: failed to reload output: could not setup output certificates reloader: unpacking ''ssl'' config: can not convert ''object'' into ''string'' accessing ''elasticsearch.ssl.certificate'''
./components/filestream-monitoring/beat-rendered-config.yml:            certificate:
./components/beat-metrics-monitoring/beat-rendered-config.yml:            certificate:
./components/http-metrics-monitoring/beat-rendered-config.yml:            certificate:
./components/fleet-server-default/fleet-server.yml:            certificate_authorities:
./components/fleet-server-default/fleet-server.yml:            certificate:
./components/fleet-server-default/fleet-server.yml:                certificate: /etc/elasticsearch/certs/fleet-server/fleet-server.crt
./components/fleet-server-default/fleet-server.yml:                servercertificate: ""
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:24.984Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":601},"message":"Unit state changed fleet-server-default (CONFIGURING->FAILED): can not convert 'object' into 'string' accessing 'output.elasticsearch.ssl.certificate'","log":{"source":"elastic-agent"},"component":{"id":"fleet-server-default","state":"HEALTHY"},"unit":{"id":"fleet-server-default","type":"output","state":"FAILED","old_state":"CONFIGURING"},"ecs.version":"1.6.0"}
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:24.984Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":601},"message":"Unit state changed fleet-server-default-fleet-server-fleet_server-355fc92f-6a7b-444e-a10a-7d4027da7362 (STARTING->FAILED): can not convert 'object' into 'string' accessing 'output.elasticsearch.ssl.certificate'","log":{"source":"elastic-agent"},"component":{"id":"fleet-server-default","state":"HEALTHY"},"unit":{"id":"fleet-server-default-fleet-server-fleet_server-355fc92f-6a7b-444e-a10a-7d4027da7362","type":"input","state":"FAILED","old_state":"STARTING"},"ecs.version":"1.6.0"}
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:27.881Z","message":"could not start output","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"centralmgmt.V2-manager","log.origin":{"file.line":629,"file.name":"management/managerV2.go","function":"github.com/elastic/beats/v7/x-pack/libbeat/management.(*BeatV2Manager).reload"},"service.name":"filebeat","error":{"message":"failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'"},"ecs.version":"1.6.0","ecs.version":"1.6.0"}
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:27.881Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":601},"message":"Unit state changed filestream-monitoring (STARTING->FAILED): could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'","log":{"source":"elastic-agent"},"component":{"id":"filestream-monitoring","state":"HEALTHY"},"unit":{"id":"filestream-monitoring","type":"output","state":"FAILED","old_state":"STARTING"},"ecs.version":"1.6.0"}
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:28.282Z","message":"could not start output","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"centralmgmt.V2-manager","log.origin":{"file.line":629,"file.name":"management/managerV2.go","function":"github.com/elastic/beats/v7/x-pack/libbeat/management.(*BeatV2Manager).reload"},"service.name":"metricbeat","error":{"message":"failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'"},"ecs.version":"1.6.0","ecs.version":"1.6.0"}
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:28.282Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":601},"message":"Unit state changed beat/metrics-monitoring (STARTING->FAILED): could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'","log":{"source":"elastic-agent"},"component":{"id":"beat/metrics-monitoring","state":"HEALTHY"},"unit":{"id":"beat/metrics-monitoring","type":"output","state":"FAILED","old_state":"STARTING"},"ecs.version":"1.6.0"}
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:28.450Z","message":"could not start output","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"centralmgmt.V2-manager","log.origin":{"file.line":629,"file.name":"management/managerV2.go","function":"github.com/elastic/beats/v7/x-pack/libbeat/management.(*BeatV2Manager).reload"},"service.name":"metricbeat","error":{"message":"failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'"},"ecs.version":"1.6.0","ecs.version":"1.6.0"}
./logs/elastic-agent-9db552/elastic-agent-20240325-2.ndjson:{"log.level":"error","@timestamp":"2024-03-25T15:35:28.451Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":601},"message":"Unit state changed http/metrics-monitoring (STARTING->FAILED): could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'","log":{"source":"elastic-agent"},"component":{"id":"http/metrics-monitoring","state":"HEALTHY"},"unit":{"id":"http/metrics-monitoring","type":"output","state":"FAILED","old_state":"STARTING"},"ecs.version":"1.6.0"}
[root@rhoslog01 diagnostics]#

Which files should I share with you? Is there a way I can upload the entire diagnostics file to this discussion?

Best Regards,

Kevin.

Julia_Bardi · March 25, 2024, 4:08pm

I'm not sure there is a way to upload the zip file. If you could share the contents of the yaml files where certificate: appears, that would be helpful. Please retract any sensitive info.

ksmithdafm · March 25, 2024, 4:16pm

Thanks Julia,

Here is the main yml I think.

./components/fleet-server-default/fleet-server.yml

[root@rhoslog01 diagnostics]# more ./components/fleet-server-default/fleet-server.yml
fleet:
    agent:
        id: c95e7349-c6fc-40f8-b600-bcdad91c5100
        version: 8.12.1
        logging:
            level: info
    host:
        id: ""
        name: ""
output:
    elasticsearch:
        protocol: https
        hosts:
            - rhoslog01.agriculture.gov.ie:9200
        path: ""
        headers: {}
        servicetoken: '[redacted]'
        servicetokenpath: ""
        proxyurl: ""
        proxydisable: false
        proxyheaders: {}
        tls:
            verification_mode: full
            certificate_authorities:
                - /etc/elasticsearch/certs/elastic-stack-ca.crt
            renegotiation: never
        maxretries: 3
        maxconnperhost: 128
        timeout: 1m30s
        maxcontentlength: 104857600
    extra: {}
inputs:
    - type: ""
      policy:
        id: ""
      server:
        host: rhoslog01.agriculture.gov.ie
        port: 8220
        internalport: 8221
        tls:
            enabled: null
            verificationmode: full
            versions: []
            ciphersuites: []
            cas: []
            certificate:
                certificate: /etc/elasticsearch/certs/fleet-server/fleet-server.crt
                key: '[redacted]'
            curvetypes: []
            clientauth: 0
        timeouts:
            read: 1m0s
            write: 10m0s
            idle: 30s
            readheader: 5s
            checkintimestamp: 30s
            checkinlongpoll: 5m0s
            checkinjitter: 30s
            checkinmaxpoll: 1h0m0s
        profiler:
            enabled: false
            bind: localhost:6060
        compressionlevel: 1
        compressionthresh: 1024
        limits:
            maxagents: 0
            policythrottle: 2ms
            maxheaderbytesize: 8192
            maxconnections: 0
            actionlimit:
                interval: 500µs
                burst: 100
                max: 0
                maxbody: 0
            checkinlimit:
                interval: 500µs
                burst: 4000
                max: 40000
                maxbody: 1048576
            artifactlimit:
                interval: 500µs
                burst: 4000
                max: 8000
                maxbody: 0
            enrolllimit:
                interval: 10ms
                burst: 100
                max: 200
                maxbody: 524288
            acklimit:
                interval: 500µs
                burst: 4000
                max: 8000
                maxbody: 2097152
            statuslimit:
                interval: 5ms
                burst: 200
                max: 400
                maxbody: 0
            uploadstartlimit:
                interval: 2s
                burst: 40
                max: 80
                maxbody: 5242880
            uploadendlimit:
                interval: 2s
                burst: 40
                max: 80
                maxbody: 1024
            uploadchunklimit:
                interval: 3ms
                burst: 40
                max: 80
                maxbody: 4194304
            deliverfilelimit:
                interval: 100ms
                burst: 40
                max: 80
                maxbody: 0
            getpgpkey:
                interval: 5ms
                burst: 25
                max: 50
                maxbody: 0
        runtime:
            gcpercent: 0
            memorylimit: 0
        bulk:
            flushinterval: 250ms
            flushthresholdcount: 2048
            flushthresholdsize: 1048576
            flushmaxpending: 8
        gc:
            scheduleinterval: 1h0m0s
            cleanupafterexpiredinterval: 30d
        instrumentation:
            enabled: false
            tls:
                skipverify: false
                servercertificate: ""
                serverca: ""
            environment: ""
            apikey: ""
            apikeypath: ""
            secrettoken: ""
            secrettokenpath: ""
            hosts: []
            globallabels: ""
            transactionsamplerate: ""
        staticpolicytokens:
            enabled: false
            policytokens: []
        pgp:
            upstreamurl: https://artifacts.elastic.co/GPG-KEY-elastic-agent
            dir: /opt/Elastic/Agent/data/elastic-agent-9db552/components/elastic-agent-upgrade-keys
      cache:
        numcounters: 0
        maxcost: 0
        actionttl: 0s
        enrollkeyttl: 0s
        artifactttl: 0s
        apikeyttl: 0s
        apikeyjitter: 0s
      monitor:
        fetchsize: 0
        polltimeout: 0s
logging:
    level: info
    tostderr: true
    tofiles: true
    pretty: false
    files: null
http:
    enabled: true
    host: unix:///opt/Elastic/Agent/data/tmp/UwGGXFL1il700DVAc6q-T-1Z9J1UjGMU.sock
    port: 5066
    user: ""
    securitydescriptor: ""
[root@rhoslog01 diagnostics]#

Here is /components/beat-metrics-monitoring/beat-rendered-config

features:
    features:
        fqdn:
            enabled: false
inputs: []
outputs:
    elasticsearch:
        api_key: <REDACTED>
        hosts:
            - https://10.2.134.121:9200
            - https://10.2.134.122:9200
            - https://10.2.134.123:9200
        preset: balanced
        ssl:
            ca_trusted_fingerprint: CBEA99D8A59F39F21FBEAA1BD3B2334D620EB408
            certificate:
                authorities:
                    - |
                      -----BEGIN CERTIFICATE-----
                      MIIDSjCCAjKgAwIBAgIVANEFkHTzX9WraDrfYzs/1/Thg9PYMA0GCSqGSIb3DQEB
                      CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
                      ZXJhdGVkIENBMB4XDTIyMTAyNTEyNTUyMFoXDTI1MTAyNDEyNTUyMFowNDEyMDAG
                      A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
                      ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1ypwRYxBldW++hahcCwG
                      4oYf/4POg752WmCysQ8RhjJhacp+0bQNTk7RT3Nr2gIu+kGNVU76oDthLtAFg3d/
                      R4v1GOjfLlUfykJJ8exhGX4hRKAk5dpu/CCuqzGkvCCaezqJCxNnZ8rkWGVcZKC/
                      a8gzGXZE9uEtDTAWiognXKigeRLoMFu75pHUOUyb2tFOA+GPbmv05EwKbfKMcPF0
                      qKMSmdRwCCy03lBFbLt52IzXK78xNKyUFT2tWyci/jZbBoeJtd+ypTPh8o8Nz9mg
                      1vnadhm5uQAl4Rp4iidSUKBdE0FKSd4VlCr2BcvyzvVH/xUF6f8pzN1j0NEiSBF9
                      AgMBAAGjUzBRMB0GA1UdDgQWBBSNvM4HrTqqZn6cQsBmPbx28shbOzAfBgNVHSME
                      GDAWgBSNvM4HrTqqZn6cQsBmPbx28shbOzAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
                      SIb3DQEBCwUAA4IBAQAMD1aL638RkwHMErmfVwxYuakI7VawDZCInS7FEIT+RbhA
                      XYmODAt1tvRqkVr5+LkBsHsufl/9ZOn8To3/tlW6QQlNixc/B6e5tirrFN5dbfT9
                      za/tc/34nkzWcdPJ/tJKmelEATZlezzOyR87pXVMLUTZeNOULtLLOTOxhqJGeAof
                      mQp0eey8BjcvV3j2N9NWA7tE0B4iVm/pR4EtnOpsUrW6VjkHJRVbKaqO+ul9lI11
                      XYkRQJ4G+h0fqV7qdcqLRzuqmnwUun7K3KdLdY7BuLuJbB947rtpZ9ZrcDMI9wY2
                      wEwJmstrO3CC9rK3pN1O64xFGxWzMFHC3xqsT1YW
                      -----END CERTIFICATE-----
        type: elasticsearch

/components/filestream-monitoring/beat-rendered-config.yml and ./components/beat-metrics-monitoring/beat-rendered-config.yml have the same contents. See the diff command below.

diff ./components/filestream-monitoring/beat-rendered-config.yml ./components/beat-metrics-monitoring/beat-rendered-config.yml

Best Regards,

Kevin.

Julia_Bardi · March 26, 2024, 7:12am

What stands out to me is that in /components/beat-metrics-monitoring/beat-rendered-config it looks wrong to have authorities below certificate, it should be ssl.certificate_authorities like here: Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [master] | Elastic
I don't see where that incorrect config is configured, whether it's a bug in agent or something wrong with the configuration.
Could you try to configure the certificate authorities in the Advanced YAML configuration as described in the guide?

outputs:
    elasticsearch:
        ssl:
            certificate:
                authorities:
                    - |
                      -----BEGIN CERTIFICATE-----

Julia_Bardi · March 26, 2024, 7:44am

My team mate just noticed that this misconfiguration is there in the first message, so looks incorrect in the agent policy.
Can you check in the Fleet UI / Output configuration, it is most likely wrongly configured as certificate.authorities instead of certificate_authorities.

ksmithdafm · March 26, 2024, 11:40am

Hi Julia,

I think we are getting close!

So from the GUI I see this. I go to this screen for that information -> http://rhoslog01.agriculture.gov.ie:5601/app/fleet/settings/outputs/fleet-default-output

I think the yml files entries get read the dot gets added instead of _

Below is the yml

features:
    features:
        fqdn:
            enabled: false
inputs: []
outputs:
    elasticsearch:
        api_key: <REDACTED>
        hosts:
            - https://10.X.YYY.ZZ1:9200
            - https://10.X.YYY.ZZ2:9200
            - https://10.X.YYY.ZZ3:9200
        preset: balanced
        ssl:
            ca_trusted_fingerprint: CBEA99D8A59F39F21FBEAA1BD3B2334D620EB408
            certificate:
                authorities:
                    - |
                      -----BEGIN CERTIFICATE-----
                      MIIDSjCCAjKgAwIBAgIVANEFkHTzX9WraDrfYzs/1/Thg9PYMA0GCSqGSIb3DQEB
                      CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
                      ZXJhdGVkIENBMB4XDTIyMTAyNTEyNTUyMFoXDTI1MTAyNDEyNTUyMFowNDEyMDAG
                      A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
                      ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1ypwRYxBldW++hahcCwG
                      4oYf/4POg752WmCysQ8RhjJhacp+0bQNTk7RT3Nr2gIu+kGNVU76oDthLtAFg3d/
                      R4v1GOjfLlUfykJJ8exhGX4hRKAk5dpu/CCuqzGkvCCaezqJCxNnZ8rkWGVcZKC/
                      a8gzGXZE9uEtDTAWiognXKigeRLoMFu75pHUOUyb2tFOA+GPbmv05EwKbfKMcPF0
                      qKMSmdRwCCy03lBFbLt52IzXK78xNKyUFT2tWyci/jZbBoeJtd+ypTPh8o8Nz9mg
                      1vnadhm5uQAl4Rp4iidSUKBdE0FKSd4VlCr2BcvyzvVH/xUF6f8pzN1j0NEiSBF9
                      AgMBAAGjUzBRMB0GA1UdDgQWBBSNvM4HrTqqZn6cQsBmPbx28shbOzAfBgNVHSME
                      GDAWgBSNvM4HrTqqZn6cQsBmPbx28shbOzAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
                      SIb3DQEBCwUAA4IBAQAMD1aL638RkwHMErmfVwxYuakI7VawDZCInS7FEIT+RbhA
                      XYmODAt1tvRqkVr5+LkBsHsufl/9ZOn8To3/tlW6QQlNixc/B6e5tirrFN5dbfT9
                      za/tc/34nkzWcdPJ/tJKmelEATZlezzOyR87pXVMLUTZeNOULtLLOTOxhqJGeAof
                      mQp0eey8BjcvV3j2N9NWA7tE0B4iVm/pR4EtnOpsUrW6VjkHJRVbKaqO+ul9lI11
                      XYkRQJ4G+h0fqV7qdcqLRzuqmnwUun7K3KdLdY7BuLuJbB947rtpZ9ZrcDMI9wY2
                      wEwJmstrO3CC9rK3pN1O64xFGxWzMFHC3xqsT1YW
                      -----END CERTIFICATE-----
        type: elasticsearch

So the entries

inputs: []
outputs:
    elasticsearch:
        api_key: <REDACTED>
        hosts:
            - https://10.X.YYY.ZZ1:9200
            - https://10.X.YYY.ZZ2:9200
            - https://10.X.YYY.ZZ3:9200
        preset: balanced
        ssl:
            ca_trusted_fingerprint: CBEA99D8A59F39F21FBEAA1BD3B2334D620EB408
            certificate:
                authorities:
                    - |
                      -----BEGIN CERTIFICATE-----
                      MIIDSjCCAjKgAwIBAgIVANEFkHTzX9WraDrfYzs/1/Thg9PYMA0GCSqGSIb3DQEB
[... Stuff Cut ... ]

will get parsed as outputs.elasticsearhc.ssl.certificate.authorities ?

Is there a way we can get around this ?

Best Regards,

Kevin.

Julia_Bardi · March 26, 2024, 11:55am

Yes, this is the UI config, so you don't have anything in Advanced YAML configuration?

Yes, the issue is with certificate.authorities, we have to find where it is configured and fix it to be certificate_authorities. If it's not configured on the UI, I'm not sure where it's coming from.

ksmithdafm · March 26, 2024, 12:26pm

Hi Julia,

To confirm I have nothing in Advanced YAML configuration.

Is it worth making the entries in there? If I do that will it overwrite the problem entries?

Best Regards,

Kevin.

Julia_Bardi · March 26, 2024, 2:59pm

I don't think it will override the problem entries.

Do you have any fleet related config in kibana.yml file?

Julia_Bardi · March 26, 2024, 3:05pm

Also, do you have anything other than the certificate itself in this file --fleet-server-cert=/etc/elasticsearch/certs/fleet-server/fleet-server.crt?

ksmithdafm · March 26, 2024, 3:07pm

Hi Julia,

I tried pasting in the actual values for ssl.certificate_authorities. See attached screenshot. This did not work.

But it would appear that fleet server has correct entry for certificate_authorities. See below.

[root@rhoslog01 diagnostics]# find ./ -type f \( -iname \*.yml \) | xargs grep certificate_authorities
./components/fleet-server-default/fleet-server.yml:            certificate_authorities:

The file ./components/fleet-server-default/fleet-server.yml is below. This comes from the diagnostics bundle.

[root@rhoslog01 diagnostics]# more ./components/fleet-server-default/fleet-server.yml
fleet:
    agent:
        id: 71267dc8-cfdd-4491-9986-add01931dcc3
        version: 8.12.1
        logging:
            level: info
    host:
        id: ""
        name: ""
output:
    elasticsearch:
        protocol: https
        hosts:
            - rhoslog01.agriculture.gov.ie:9200
        path: ""
        headers: {}
        servicetoken: '[redacted]'
        servicetokenpath: ""
        proxyurl: ""
        proxydisable: false
        proxyheaders: {}
        tls:
            verification_mode: full
            certificate_authorities:
                - /etc/elasticsearch/certs/elastic-stack-ca.crt
            renegotiation: never
        maxretries: 3
        maxconnperhost: 128
        timeout: 1m30s
        maxcontentlength: 104857600
    extra: {}
inputs:
    - type: ""
      policy:
        id: ""
      server:
        host: rhoslog01.agriculture.gov.ie
        port: 8220
        internalport: 8221
        tls:
            enabled: null
            verificationmode: full
            versions: []
            ciphersuites: []
            cas: []
            certificate:
                certificate: /etc/elasticsearch/certs/fleet-server/fleet-server.crt
                key: '[redacted]'
            curvetypes: []
            clientauth: 0
        timeouts:
            read: 1m0s
            write: 10m0s
            idle: 30s
            readheader: 5s
            checkintimestamp: 30s
            checkinlongpoll: 5m0s
            checkinjitter: 30s
            checkinmaxpoll: 1h0m0s
        profiler:
            enabled: false
            bind: localhost:6060
        compressionlevel: 1
        compressionthresh: 1024
        limits:
            maxagents: 0
            policythrottle: 2ms
            maxheaderbytesize: 8192
            maxconnections: 0
            actionlimit:
                interval: 500µs
                burst: 100
                max: 0
                maxbody: 0
            checkinlimit:
                interval: 500µs
                burst: 4000
                max: 40000
                maxbody: 1048576
            artifactlimit:
                interval: 500µs
                burst: 4000
                max: 8000
                maxbody: 0
            enrolllimit:
                interval: 10ms
                burst: 100
                max: 200
                maxbody: 524288
            acklimit:
                interval: 500µs
                burst: 4000
                max: 8000
                maxbody: 2097152
            statuslimit:
                interval: 5ms
                burst: 200
                max: 400
                maxbody: 0
            uploadstartlimit:
                interval: 2s
                burst: 40
                max: 80
                maxbody: 5242880
            uploadendlimit:
                interval: 2s
                burst: 40
                max: 80
                maxbody: 1024
            uploadchunklimit:
                interval: 3ms
                burst: 40
                max: 80
                maxbody: 4194304
            deliverfilelimit:
                interval: 100ms
                burst: 40
                max: 80
                maxbody: 0
            getpgpkey:
                interval: 5ms
                burst: 25
                max: 50
                maxbody: 0
        runtime:
            gcpercent: 0
            memorylimit: 0
        bulk:
            flushinterval: 250ms
            flushthresholdcount: 2048
            flushthresholdsize: 1048576
            flushmaxpending: 8
        gc:
            scheduleinterval: 1h0m0s
            cleanupafterexpiredinterval: 30d
        instrumentation:
            enabled: false
            tls:
                skipverify: false
                servercertificate: ""
                serverca: ""
            environment: ""
            apikey: ""
            apikeypath: ""
            secrettoken: ""
            secrettokenpath: ""
            hosts: []
            globallabels: ""
            transactionsamplerate: ""
        staticpolicytokens:
            enabled: false
            policytokens: []
        pgp:
            upstreamurl: https://artifacts.elastic.co/GPG-KEY-elastic-agent
            dir: /opt/Elastic/Agent/data/elastic-agent-9db552/components/elastic-agent-upgrade-keys
      cache:
        numcounters: 0
        maxcost: 0
        actionttl: 0s
        enrollkeyttl: 0s
        artifactttl: 0s
        apikeyttl: 0s
        apikeyjitter: 0s
      monitor:
        fetchsize: 0
        polltimeout: 0s
logging:
    level: info
    tostderr: true
    tofiles: true
    pretty: false
    files: null
http:
    enabled: true
    host: unix:///opt/Elastic/Agent/data/tmp/UwGGXFL1il700DVAc6q-T-1Z9J1UjGMU.sock
    port: 5066
    user: ""
    securitydescriptor: ""
[root@rhoslog01 diagnostics]#

[root@rhoslog01 diagnostics]# find ./ -type f \( -iname \*.yml \) | xargs grep certificate
./components/filestream-monitoring/beat-rendered-config.yml:            certificate:
./components/beat-metrics-monitoring/beat-rendered-config.yml:            certificate:
./components/http-metrics-monitoring/beat-rendered-config.yml:            certificate:
./components/fleet-server-default/fleet-server.yml:            certificate_authorities:
./components/fleet-server-default/fleet-server.yml:            certificate:
./components/fleet-server-default/fleet-server.yml:                certificate: /etc/elasticsearch/certs/fleet-server/fleet-server.crt
./components/fleet-server-default/fleet-server.yml:                servercertificate: ""
[root@rhoslog01 diagnostics]#

We still have the same problem with the certificates. See /opt/Elastic/Agent/elastic-agent status below.

[root@rhoslog01 diagnostics]# /opt/Elastic/Agent/elastic-agent status
┌─ fleet
│  └─ status: (HEALTHY) Connected
└─ elastic-agent
   ├─ status: (DEGRADED) 1 or more components/units in a failed state
   ├─ beat/metrics-monitoring
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '8399'
   │  ├─ beat/metrics-monitoring
   │  │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
   │  └─ beat/metrics-monitoring-metrics-monitoring-beats
   │     └─ status: (STARTING) Starting
   ├─ filestream-monitoring
   │  ├─ status: (HEALTHY) Healthy: communicating with pid '8388'
   │  ├─ filestream-monitoring
   │  │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
   │  └─ filestream-monitoring-filestream-monitoring-agent
   │     └─ status: (STARTING) Starting
   └─ http/metrics-monitoring
      ├─ status: (HEALTHY) Healthy: communicating with pid '8409'
      ├─ http/metrics-monitoring
      │  └─ status: (FAILED) could not start output: failed to reload output: could not setup output certificates reloader: unpacking 'ssl' config: can not convert 'object' into 'string' accessing 'elasticsearch.ssl.certificate'
      └─ http/metrics-monitoring-metrics-monitoring-agent
         └─ status: (STARTING) Starting

The other certificates still don't have the ssl.certificate_authorities entry.

See ./components/filestream-monitoring/beat-rendered-config.yml below

more ./components/filestream-monitoring/beat-rendered-config.yml
features:
    features:
        fqdn:
            enabled: false
inputs: []
outputs:
    elasticsearch:
        api_key: <REDACTED>
        hosts:
            - https://10.2.134.121:9200
            - https://10.2.134.122:9200
            - https://10.2.134.123:9200
        preset: balanced
        ssl:
            ca_trusted_fingerprint: CBEA99D8A59F39F21FBEAA1BD3B2334D620EB408
            certificate:
                authorities:
                    - |
                      -----BEGIN CERTIFICATE-----
                      MIIDSjCCAjKgAwIBAgIVANEFkHTzX9WraDrfYzs/1/Thg9PYMA0GCSqGSIb3DQEB
                      CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
                      ZXJhdGVkIENBMB4XDTIyMTAyNTEyNTUyMFoXDTI1MTAyNDEyNTUyMFowNDEyMDAG
                      A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
                      ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1ypwRYxBldW++hahcCwG
                      4oYf/4POg752WmCysQ8RhjJhacp+0bQNTk7RT3Nr2gIu+kGNVU76oDthLtAFg3d/
                      R4v1GOjfLlUfykJJ8exhGX4hRKAk5dpu/CCuqzGkvCCaezqJCxNnZ8rkWGVcZKC/
                      a8gzGXZE9uEtDTAWiognXKigeRLoMFu75pHUOUyb2tFOA+GPbmv05EwKbfKMcPF0
                      qKMSmdRwCCy03lBFbLt52IzXK78xNKyUFT2tWyci/jZbBoeJtd+ypTPh8o8Nz9mg
                      1vnadhm5uQAl4Rp4iidSUKBdE0FKSd4VlCr2BcvyzvVH/xUF6f8pzN1j0NEiSBF9
                      AgMBAAGjUzBRMB0GA1UdDgQWBBSNvM4HrTqqZn6cQsBmPbx28shbOzAfBgNVHSME
                      GDAWgBSNvM4HrTqqZn6cQsBmPbx28shbOzAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
                      SIb3DQEBCwUAA4IBAQAMD1aL638RkwHMErmfVwxYuakI7VawDZCInS7FEIT+RbhA
                      XYmODAt1tvRqkVr5+LkBsHsufl/9ZOn8To3/tlW6QQlNixc/B6e5tirrFN5dbfT9
                      za/tc/34nkzWcdPJ/tJKmelEATZlezzOyR87pXVMLUTZeNOULtLLOTOxhqJGeAof
                      mQp0eey8BjcvV3j2N9NWA7tE0B4iVm/pR4EtnOpsUrW6VjkHJRVbKaqO+ul9lI11
                      XYkRQJ4G+h0fqV7qdcqLRzuqmnwUun7K3KdLdY7BuLuJbB947rtpZ9ZrcDMI9wY2
                      wEwJmstrO3CC9rK3pN1O64xFGxWzMFHC3xqsT1YW
                      -----END CERTIFICATE-----
        type: elasticsearch

And see ./components/http-metrics-monitoring/beat-rendered-config.yml below

more ./components/http-metrics-monitoring/beat-rendered-config.yml
features:
    features:
        fqdn:
            enabled: false
inputs: []
outputs:
    elasticsearch:
        api_key: <REDACTED>
        hosts:
            - https://10.2.134.121:9200
            - https://10.2.134.122:9200
            - https://10.2.134.123:9200
        preset: balanced
        ssl:
            ca_trusted_fingerprint: CBEA99D8A59F39F21FBEAA1BD3B2334D620EB408
            certificate:
                authorities:
                    - |
                      -----BEGIN CERTIFICATE-----
                      MIIDSjCCAjKgAwIBAgIVANEFkHTzX9WraDrfYzs/1/Thg9PYMA0GCSqGSIb3DQEB
                      CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
                      ZXJhdGVkIENBMB4XDTIyMTAyNTEyNTUyMFoXDTI1MTAyNDEyNTUyMFowNDEyMDAG
                      A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
                      ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1ypwRYxBldW++hahcCwG
                      4oYf/4POg752WmCysQ8RhjJhacp+0bQNTk7RT3Nr2gIu+kGNVU76oDthLtAFg3d/
                      R4v1GOjfLlUfykJJ8exhGX4hRKAk5dpu/CCuqzGkvCCaezqJCxNnZ8rkWGVcZKC/
                      a8gzGXZE9uEtDTAWiognXKigeRLoMFu75pHUOUyb2tFOA+GPbmv05EwKbfKMcPF0
                      qKMSmdRwCCy03lBFbLt52IzXK78xNKyUFT2tWyci/jZbBoeJtd+ypTPh8o8Nz9mg
                      1vnadhm5uQAl4Rp4iidSUKBdE0FKSd4VlCr2BcvyzvVH/xUF6f8pzN1j0NEiSBF9
                      AgMBAAGjUzBRMB0GA1UdDgQWBBSNvM4HrTqqZn6cQsBmPbx28shbOzAfBgNVHSME
                      GDAWgBSNvM4HrTqqZn6cQsBmPbx28shbOzAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
                      SIb3DQEBCwUAA4IBAQAMD1aL638RkwHMErmfVwxYuakI7VawDZCInS7FEIT+RbhA
                      XYmODAt1tvRqkVr5+LkBsHsufl/9ZOn8To3/tlW6QQlNixc/B6e5tirrFN5dbfT9
                      za/tc/34nkzWcdPJ/tJKmelEATZlezzOyR87pXVMLUTZeNOULtLLOTOxhqJGeAof
                      mQp0eey8BjcvV3j2N9NWA7tE0B4iVm/pR4EtnOpsUrW6VjkHJRVbKaqO+ul9lI11
                      XYkRQJ4G+h0fqV7qdcqLRzuqmnwUun7K3KdLdY7BuLuJbB947rtpZ9ZrcDMI9wY2
                      wEwJmstrO3CC9rK3pN1O64xFGxWzMFHC3xqsT1YW
                      -----END CERTIFICATE-----
        type: elasticsearch

Can these other configuration ymls be fixed? My guess is this is a bug BUT is there manual workaround for now?

Best Regards,

Kevin.