--insecure flag in fleet/elastic agent deployment to solve X509: certificate signed by unknown authority

Elastic Stack Elastic Agent
7

hello stephen!

it worked!
you're such a legend!

here is what I did:
firstly I noticed that you are using 'elastic-agent-8.14.3'
and I was using 'elastic-agent-8.14.1'
so I did the upgrade and then installed it via this command:

sudo ./elastic-agent install --url=https://192.168.1.23:8220 \
  --fleet-server-es=https://192.168.1.15:9200 \
  --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjExMTc2OTY5OTk6eGx0U3hBNUNRMVNERU9XNFlsTWRVQQ \
  --fleet-server-policy=fleet-server-policy \
  --certificate-authorities=/etc/elastic_certs/elasticsearch-ca.pem \
  --fleet-server-es-ca=/etc/elasticsearch-ca.pem \
  --fleet-server-cert=/etc/elastic_certs/fleet-server01.crt \
  --fleet-server-cert-key=/etc/elastic_certs/fleet-server01.key \
  --fleet-server-port=8220 \
  --fleet-server-es-cert=/etc/elastic_certs/fleet-server01.crt \
  --fleet-server-es-cert-key=/etc/elastic_certs/fleet-server01.key

but then I got this error: Elastic Agent enrollment fails on the host with x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
I red this Troubleshoot common problems | Fleet and Elastic Agent Guide [8.14] | Elastic
and this Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.14] | Elastic
And I remembered that my CA 'elastic-stack-ca.p12' is in p12 so I converted it, using OpenSSL:

openssl pkcs12 -in elastic-stack-ca.p12 -out cert.crt -clcerts -nokeys

openssl pkcs12 -in elastic-stack-ca.p12 -out private.key -nocerts -nodes

to get cert.crt and its private key private.key

then I went to generate the SSL certificate for fleet server using this command:

./bin/elasticsearch-certutil cert \
  --name fleet-server1 \
  --ca-cert cert.crt \
  --ca-key private.key \
  --dns fleet-server.HOMELAB.LAN \
  --ip 192.168.1.23 \
  --pem

so I got fleet-server1.crt and fleet-server1.key that I copied to my fleet server and installed my fleet server with success using this command

sudo ./elastic-agent install --url=https://192.168.1.23:8220 \
  --fleet-server-es=https://192.168.1.15:9200 \
  --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjExMTc2OTY5OTk6eGx0U3hBNUNRMVNERU9XNFlsTWRVQQ \
  --fleet-server-policy=fleet-server-policy \
  --certificate-authorities=/etc/elastic_certs/cert.crt \
  --fleet-server-es-ca=/etc/elastic_certs/cert.crt \
  --fleet-server-cert=/etc/elastic_certs/fleet-server1.crt \
  --fleet-server-cert-key=/etc/elastic_certs/fleet-server1.key \
  --fleet-server-port=8220 \
  --fleet-server-es-cert=/etc/elastic_certs/fleet-server1.crt \
  --fleet-server-es-cert-key=/etc/elastic_certs/fleet-server1.key

and finally installed the agent on endpoints where I copied my cert.crt

using this command:

./elastic-agent install --url=https://192.168.1.23:8220 --enrollment-token=OGZQYnVwQUJFekdremM2S3N1Rzg6Ym5zc2VCVENTOUtjLTJjRG9ITXY3dw== --certificate-authorities=/home/ubuntu/Desktop/cert.crt

and that solved it!

Thank you so much Stephen!

1 Like