They do match what? Which secret are they copied from?
Wait. Just found out the tls.crt is empty. It works now. I will check if env is still needed. It doesn't make sense at all because all of these env are configurable at the elastic-node-apm settings. Will update.
One more thing. Can you please confirm if BOTH ELASTIC_APM_SECRET_TOKEN and ELASTIC_APM_SERVER_CA_CERT_FILE are needed? My impression, based on our past communication, is that only either one of them is needed?
They are both required. ELASTIC_APM_SERVER_URL is the address of the APM Server, ELASTIC_APM_SECRET_TOKEN is an auth token.
I meant ELASTIC_APM_SERVER_CA_CERT_FILE. Are both this and the ELASTIC_APM_SECRET_TOKEN needed at the same time?
Right. Yes those are both required too.
ELASTIC_APM_SERVER_CA_CERT_FILE is for verifying the server's TLS certificate. That's so the client can confirm that it is communicating with the correct server. ELASTIC_APM_SECRET_TOKEN is so the server knows the client is authorized to send data.
I'm not a Node.js expert, but I think that the system CA certificates are not used by default. The agent docs seem to suggest that bundled Mozilla CA certs are used by default.