Here is my certs directory... I reused a few certs
Also key...
root@stephenb-es-8-test:/etc/elasticsearch# ls -lRrt certs/
certs/:
total 20
drwxr-xr-x 2 root root 4096 Jul 16 04:11 ca
-rw------- 1 root root 2517 Jul 16 04:11 elastic-stack-ca.zip
-rw-rw-rw- 1 root root 3596 Jul 16 04:15 elastic-certificates.p12
drwxr-xr-x 2 root root 4096 Jul 16 04:23 http_cert
-rw------- 1 root root 2621 Jul 16 04:23 certificate-bundle.zip
certs/ca:
total 8
-rw-rw-rw- 1 root root 1675 Jul 16 04:11 ca.key
-rw-rw-rw- 1 root root 1200 Jul 16 04:11 ca.crt
certs/http_cert:
total 8
-rw-rw-rw- 1 root root 1679 Jul 16 04:23 http_cert.key
-rw-rw-rw- 1 root root 1200 Jul 16 04:23 http_cert.crt
IMPORTANT: (as @leandrojmp and I found out another topic)
I also find the fingerprint does not always work the way we think so in the Fleet Elasticsearch output I put the whole CA as shown in the docs. I highly Recommend this for Self Signed...
And here is the command I used to enroll the fleet on the same server and you can see I did not use --insecure and it installed fine..
Yes this should be easier.
sbrown@stephenb-es-8-test:~/elastic-agent-8.14.3-linux-x86_64$ sudo ./elastic-agent install \
> --url=https://10.168.0.12:8220 \
> --fleet-server-es=https://10.168.0.12:9200 \
> --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjExMDg5MTkzNTU6UWxHeFRfREJTZWV2QlJJbmRWZzcyUQ \
> --fleet-server-policy=4c1c90af-9cdf-47f7-8f29-1428c0ca1853 \
> --fleet-server-es-ca=/etc/elasticsearch/certs/ca/ca.crt \
> --certificate-authorities=/etc/elasticsearch/certs/ca/ca.crt \
> --fleet-server-cert=/etc/elasticsearch/certs/http_cert/http_cert.crt \
> --fleet-server-cert-key=/etc/elasticsearch/certs/http_cert/http_cert.key \
> --fleet-server-port=8220 \
> --fleet-server-es-cert=/etc/elasticsearch/certs/http_cert/http_cert.crt \
> --fleet-server-es-cert-key=/etc/elasticsearch/certs/http_cert/http_cert.key
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[=== ] Service Started [7s] Elastic Agent successfully installed, starting enrollment.
[ ] Waiting For Enroll... [10s] {"log.level":"info","@timestamp":"2024-07-16T05:49:40.228Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":480},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
[====] Waiting For Enroll... [12s] {"log.level":"info","@timestamp":"2024-07-16T05:49:42.233Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":865},"message":"Fleet Server - Starting","ecs.version":"1.6.0"}
[====] Waiting For Enroll... [16s] {"log.level":"info","@timestamp":"2024-07-16T05:49:46.236Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":846},"message":"Fleet Server - Running on policy with Fleet Server integration: 4c1c90af-9cdf-47f7-8f29-1428c0ca1853; missing config fleet.agent.id (expected during bootstrap process)","ecs.version":"1.6.0"}
[ ] Waiting For Enroll... [16s] {"log.level":"info","@timestamp":"2024-07-16T05:49:46.692Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":517},"message":"Starting enrollment to URL: https://10.168.0.12:8220/","ecs.version":"1.6.0"}
[ ===] Waiting For Enroll... [17s] {"log.level":"info","@timestamp":"2024-07-16T05:49:47.799Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":480},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-07-16T05:49:47.801Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":298},"message":"Successfully triggered restart on running Elastic Agent.","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
[====] Done [18s]
Elastic Agent has been successfully installed.
sbrown@stephenb-es-8-test:~/elastic-agent-8.14.3-linux-x86_64$
Then to enroll an agent from another host I had to copy the ca.crt and reference it... (it seems like I should not since I put the CA in the Elasticsearch Fleet output but it seems I needed both...
Yup it is a lot... that is all with self signed certs...
sbrown@stephenb-inference-test:~/elastic-agent-8.14.3-linux-x86_64$ sudo ./elastic-agent install --url=https://10.168.0.12:8220 --enrollment-token=Q0lNbHVwQUJ2cUlnMmRpNTJCc2Q6emNLaVEybTVRRXV4LVJNQ3MtQlZjQQ== --certificate-authorities=/tmp/ca.crt
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[ ==] Service Started [7s] Elastic Agent successfully installed, starting enrollment.
[====] Waiting For Enroll... [7s] {"log.level":"info","@timestamp":"2024-07-16T06:36:34.506Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":517},"message":"Starting enrollment to URL: https://10.168.0.12:8220/","ecs.version":"1.6.0"}
[= ] Waiting For Enroll... [8s] {"log.level":"info","@timestamp":"2024-07-16T06:36:35.567Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":480},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-07-16T06:36:35.569Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":298},"message":"Successfully triggered restart on running Elastic Agent.","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
[= ] Done [8s]
Elastic Agent has been successfully installed.
And then the logs and metrics show up...
Yes painful but there you go...
BUT if you use publicly signed certs from a recognized certificate authority... or use CSR and the CAs are installed in your OS most this goes away...
And finally the --insecure flag just .means certificate validation is not performed.. all comms are still via TLS..so you can make your choice