Insecure param does not complete disable verification

I use --insecure when enrolling agent into fleet server in development environment. With some unable-to-say restrictions, this development environment cannot connect to CRL server.

However, in current environment, the curl -v https://my-server:8220/api/status returns fine on unix OS, since they does NOT check CRL on connection establishment. The certificate and CA are already trusted on OS level.

In windows, even I disabled CRL check in Internet Settings and rebooted, the curl will still give me this error: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.

Since the elastic-agent and elastic-defend are using Golang/libcurl (in cpp) and do NOT give that detailed information, I've managed to find the root cause using a lot of time.

Please also set --insecure to disable OCSP and CRL check, thanks.

Update: After I generated a new certificate (all CA and this certificate does NOT contains a CRL or OCSP endpoint) in a new environment, the error goes to 0x80092012 instead.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.