Fleet with own artifact registry fails cause of external GPG validation

xtruthx · October 27, 2023, 9:55am

I have in an environment as described here Air Gapped Env artifacts
hosted my own artifact registry. This is also cleanly queried during upgrade see log.
However, a GPG validation is attempted externally. But why? Where can I see more about this what am I missing except the settings in Fleet Management?

Log from elastic agent who acts as fleet-server.

Console Output

elastic-agent upgrade 8.10.4 --source-uri https://artifcats.mycompany.com:443
Error: Failed trigger upgrade of daemon: failed verification of agent binary: 2 errors occurred:
        * Get "https://artifacts.elastic.co/GPG-KEY-elastic-agent": dial tcp [IPV6]:443: connect: connection timed out
        * Get "https://artifacts.elastic.co/GPG-KEY-elastic-agent": dial tcp [IPV6]:443: connect: connection timed out
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.9/fleet-troubleshooting.html

Fleet-Server log:

11:14:35.385
elastic_agent
[elastic_agent][info] Upgrading agent
11:14:40.525
elastic_agent
[elastic_agent][info] download from https://artifacts.mycompany.com:443/beats/elastic-agent/elastic-agent-8.10.4-linux-x86_64.tar.gz completed in 5 seconds @ 112.2MBps
11:14:40.526
elastic_agent
[elastic_agent][info] download from https://artifacts.mycompany.com:443/beats/elastic-agent/elastic-agent-8.10.4-linux-x86_64.tar.gz.sha512 completed in Less than a second @ +InfYBps
11:14:41.619
elastic_agent
[elastic_agent][info] Default PGP being appended
11:19:06.685
elastic_agent
[elastic_agent][info] Default PGP being appended

I dont get it why this happens there are no explanation about handling signing.

Is this maybe an issue?

xtruthx · October 30, 2023, 6:59am

Even after doing the workaround here as decscribed here Workaround
I get a x509 because the certificate is not issued to artifacts.elastic.co. Nowhere can I find a setting how to disable the verification. I can't update the agents neither from the command line nor from the Fleet WebUI.

12:12:42.212
elastic_agent
[elastic_agent][info] Default PGP being appended
12:12:43.316
elastic_agent
[elastic_agent][info] Default PGP being appended
12:12:43.358
elastic_agent
[elastic_agent][error] upgrade to version 8.10.4 failed: failed verification of agent binary: 2 errors occurred:
	* Get "https://artifacts.elastic.co/GPG-KEY-elastic-agent": x509: certificate is valid for artifacts.mycompany.com, not artifacts.elastic.co
	* Get "https://artifacts.elastic.co/GPG-KEY-elastic-agent": x509: certificate is valid for artifacts.mycompany.com, not artifacts.elastic.co

how is this supposed to work with a separate artifacts registry?

Bearloggs · October 30, 2023, 1:46pm

Seems related to this issue.

The simplest seems to be to uninstall the agent and reinstall it to version 8.10.3 or higher from scratch.
I haven't found another solution on my side with same problem.

xtruthx · October 31, 2023, 5:45am

danke für die Antwort. Ich hatte fast befürchtet, dass das so ist. Aber ich kann es fast immer noch nicht glauben. Das wird echt hart, da sind schon eine Elastic Agents ausgerollt.

xtruthx · November 3, 2023, 1:14pm

Now in English sorry folks!
Thank you for your answer. I was almost afraid that this was the case. But I still almost can't believe it. It's going to be really hard, there are already some Elastic Agents rolled out.

leandrojmp · November 3, 2023, 1:51pm

Wouldn't the Option 2 described as a Workaround in the issue linked work in your case?

system · December 1, 2023, 1:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.