I use --insecure when enrolling agent into fleet server in development environment. With some unable-to-say restrictions, this development environment cannot connect to CRL server.
However, in current environment, the curl -v https://my-server:8220/api/status returns fine on unix OS, since they does NOT check CRL on connection establishment. The certificate and CA are already trusted on OS level.
In windows, even I disabled CRL check in Internet Settings and rebooted, the curl will still give me this error: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.
Since the elastic-agent and elastic-defend are using Golang/libcurl (in cpp) and do NOT give that detailed information, I've managed to find the root cause using a lot of time.
Please also set --insecure to disable OCSP and CRL check, thanks.
Update: After I generated a new certificate (all CA and this certificate does NOT contains a CRL or OCSP endpoint) in a new environment, the error goes to 0x80092012 instead.