How to use SSL certs with Fleet server - errors on startup

I get the following error trying to start Fleet server after installing it on my Logstash node:
Fleet Server - Error - x509: certificate signed by unknown authority","ecs.version":"1.6.0"

I'm attempting to use the self-signed certs; but what is the standard process for using SSL self-signed certs AND the similar instructions if we want to use public/commercial SSL certs? I've tried to follow the basic guidelines, but a lot of those seem to be lacking as far as specific steps to generate, configure/use & renew SSL certs - One Elastic.co staffer even recently posted that he agrees that, especially the info on how best to use the self-signed certs needs more documentation.

I was able to figure out how to produce and reference the "[server].key" file & ["server-plus-chain"].crt file in kibana.yml & point those items to my SSL-provider-generated key & cert+chain.

So, how do I do similar for Fleet server? I'm trying to use the included or self-generated certs, but I have a sort of "split setup;" but that, here's the basic setup:

  1. 1 x Kibana/UI node, with a public ".com" SSL cert" - example: "https://elk.myco.com:5601" -- also accessible internal-only, but nice to have that "browser-lock-Your-connection-is-secure" notice, and SSL securing the browser to Kibana connection; works fine.

  2. 1 x Logstash node, which I think I've got communicating internally okay over TLS and/or using "basic authentication," since I was able to pipe some "test" log indices & entries into the Elasticsearch nodes.

  3. 1 x Fleet server - attempting to install it on the Logstash node; all of our stuff is internal-only, so no need really for external/public access or SSL certs (except Kibana).
    If I recall, during install from the Kibana UI, Fleet integration section asks for an Elasticsearch node (I have 3, but had to choose 1; not sure that you can choose more than one). And there are some docs mentioning to "copy the self-signed certs from the Elastic cluster to the other nodes, such as Fleet & Logstash;" but then there's the matter of making those self-signed certs "trusted" - something about "placing the certs in the right location and "re-loading" the CA module in the OS, so that it loads the self-signed certs into its cache, i.e: "elsatic-ca.pem?" (or whatever CA is for your cluster).

  4. 3 x Elasticsearch nodes - all seem to be running fine & using internal TLS.

So, in general, Logstash node can talk to and send data to the Elastic nodes, but Fleet has yet to start cleanly. Since I have a separate Logstash/Fleet node (these both live on same server), do I also need to generate an internal cert 'from' the Logstash node & reference that? What am I missing? Thanks in advance for any help; and please let me know what else you may need from me, in order to pinpoint the issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.