--insecure when enrolling agent into fleet server in development environment. With some unable-to-say restrictions, this development environment cannot connect to CRL server.
However, in current environment, the
curl -v https://my-server:8220/api/status returns fine on unix OS, since they does NOT check CRL on connection establishment. The certificate and CA are already trusted on OS level.
In windows, even I disabled CRL check in Internet Settings and rebooted, the curl will still give me this error:
schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.
Since the elastic-agent and elastic-defend are using Golang/libcurl (in cpp) and do NOT give that detailed information, I've managed to find the root cause using a lot of time.
Please also set
--insecure to disable OCSP and CRL check, thanks.