Installed Elastic-Agent cannot be removed

Elastic Stack Elastic Agent
1

So, I have a self-hosted ELK Stack (v. 8.11) in which I've been working for a few weeks.
I've configured the certificates using the elasticsearch-certutil util and Elastic + Kibana are working fine.

After that I wanted to configure a Fleet server. I followed this steps given to me by my ELK instance in the Add a Fleet Server page:

curl -L -O https[:]//artifacts[.]elastic[.]co/downloads/beats/elastic-agent/elastic-agent-8.11.3-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.11.3-linux-x86_64.tar.gz
cd elastic-agent-8.11.3-linux-x86_64
sudo ./elastic-agent install \
  --fleet-server-es=http[:]//MY-IP-ADDRESS[:]9200 \
  --fleet-server-service-token=MY_ENROLLMENT_TOKEN \
  --fleet-server-policy=fleet-server-policy \
  --fleet-server-port=8220

After running this I got an error which said.

"log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":807},"message":"Fleet Server - Error - f
ailed version compatibility check with elasticsearch: tls: failed to verify certificate: x509: certificate signed by unknown authority","ecs.version":"1.6.0"}

So I started looking to correct that by generating the certificates and prepared the following command to run the installation again (Please note that, at this point, the Fleet Server waiting for a connection from the agent was still waiting, of course). The command was:

sudo ./elastic-agent install \

--fleet-server-es=https[:]//MY-IP-ADDRESS[:]9200
--fleet-server-service-token=MY-ENROLLMENT-TOKEN
--fleet-server-policy=fleet-server-policy
--fleet-server-es-ca=/etc/elasticsearch/certs/http_ca.crt
--certificate-authorities=/etc/ssl/fleet/ca/ca.crt
--fleet-server-cert=/etc/ssl/fleet/fleet-server/fleet-server.crt
--fleet-server-cert-key=/etc/ssl/fleet/fleet-server/fleet-server.key
--fleet-server-port=8220

After running that I got this error:
Error: already installed at: /opt/Elastic/Agent

So I tried to run the uninstall command:
./elastic-agent uninstall --uninstall-token MY-ENROLLMENT-TOKEN
ERROR: Error: can only be uninstalled by executing the installed Elastic Agent at: /usr/bin/elastic-agent

In /usr/bin/ I ran:
elastic-agent uninstall
And got this error:
ERROR: Error: can only be uninstalled by executing the installed Elastic Agent at: /usr/bin/elastic-agent
again.

At this point I'm not sure how or why this is happening. If maybe I could find a way to configure the settings on the agent I wouldn't need to go through the hassle of finding a way to uninstalling it. I've been trying to find a way to solve this but I didn't touch to much since I don't want to cause more error.

Is there a way to force uninstalling it?

Thanks!

1 Like
2

i found this:

I'll give updates.

3

Hi @ghuie

The proper uninstall command per the docs is only

sudo /opt/Elastic/Agent/elastic-agent uninstall

First try that...

Not running ./elastic-agent uninstall from the original install directory that will not work.

When I see others get in this state then you need to manually clean up (clean up the /opt/Elastic/Agent directory etc. ... then reinstall and then uninstall properly

Ohh... And Welcome to the Community!

1 Like
4

Hi Stephen! Thanks for the quick reply.

I've tried that also just after I posted the problem, but to no effect. It keeps insisting that I do this: elastic-agent uninstall from /usr/bin/

What I did was delete the process at systemd/system and the agent from /opt/.
To be honest, it's not the way I like to do things but I could not find any other way. After I did that, I ran: sudo ./elastic-agent install from the original installation directory just to see if I get an error or the interactive questions to configure the Agent, I got the questions. That makes me think that maybe now the installation will continue.

5

I agree, it's not a great way.... but it is key to run the correct uninstall command because the Agent Gets installed in /opt/Elastic/Agent, so the uninstall needs to run from there... hopefully that makes sense...

if you try to run it from the directory that you untarred into that will not work for sure and leave you in an inconsistent state...

Similar situation here

1 Like
6

Oh sorry; what I meant to say is that I did try to run the uninstall command from both, /usr/bin/ and /opt/Elastic/Agent, but it didn't matter the locations from which I was trying to run the command, the error was the same: Error: can only be uninstalled by executing the installed Elastic Agent at: /usr/bin/elastic-agent.

If I understand correctly that was what you were suggesting.

1 Like
7

Right! but that happens typically when the wrong command is run the first...
once you do that the agent is left in an inconsistent state then trying to run /opt/Elastic/Agent/elastic-agent unistall will not work either

I speak of this from 1st hand experience :wink:

If you run the correct command 1st on a correctly installed agent, you should find that uninstall works....

So what I would do ... get a proper installation (or maybe it fails on connection or something) then uninstall correctly see if that works.

From the docs

To uninstall Elastic Agent, run the uninstall command from the directory where Elastic Agent is running:

You must run this command as the root user.

sudo /opt/Elastic/Agent/elastic-agent uninstall

1 Like
8

Oh ok, I get it now. I'll install the agent just to uninstall it to see of it's all OK then.

I'll keep you posted, thanks so much!

1 Like
9

@ghuie You are not the first ... nor the last to run into this... :slight_smile:

1 Like
10

BTW PR to get docs fixed

1 Like
11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.