Is there a way to ease installing fleet server to a elasticsearch server secured by self-signed certificate

ZeLAxyz · August 16, 2021, 6:08pm

Hi,

I just tried installing fleet server to a elasticsearch server secured by self-signed certificate. And I get an error message:

app@fs00:~/elastic-agent-7.14.0-linux-x86_64$ sudo ./elastic-agent install -f --fleet-server-es=https://10.1.26.70:9200 --fleet-server-service-token=......
....
....
cmd/enroll_cmd.go:701 Fleet Server - Error - x509: cannot validate certificate for 10.1.26.70 because it doesn't contain any IP SANs

I know a valid certificate is important for production env. But as I just want to do a POC test, is there a way to bypass this validation? For example, set "none" or "certificate" to certain ssl validation settings.

Thanks!

BlueNick · August 17, 2021, 4:06pm

I'm also interested if someone can helps!

Thanks a lot!

leprovokateur · August 18, 2021, 7:21am

Hi there,

Just add --insecure to the command line, see How to deploy an elastic-agent in fleet against an elasticsearch with a self-signed certificate? where I described a further obstacle.

Best regards
Robert

ZeLAxyz · August 18, 2021, 3:49pm

Thanks for your reply. I have tried --insecure but failed. As I understand, --insecure is used by agent to bypass the verification of the self-signed certs used by fleet server. It does not work for the communication between fleet server and elasticsearch. At least it does not work for the IP based access.

Update: I have seen other post mentioned that --insecure is worked for early versions. For 7.14 it seems does not work.

Best regards,
Roy

blaker · August 18, 2021, 4:48pm

Read the discussion here, it describes how the output settings must be configured in the Fleet settings flyout in Kibana.

BlueNick · August 19, 2021, 9:00am

Thanks for your reply, but this not solve the problem.
My configuration.

The command for enrolling

elastic-agent enroll --url=https://IP of the machine:9201
-f
--fleet-server-es=https://IP of the machine:9200
--fleet-server-service-token= token
--fleet-server-policy=policy ID
--certificate-authorities= path to CA (of fleet server in pem format)
--fleet-server-es-ca=path to CA (of elasticsearch in pem format)
--fleet-server-cert=path to cert in pem format
--fleet-server-cert-key=path to key in pem format

I've tried also with --insecure flag

But the same error persist Fleet Server - Error - x509: cannot validate certificate for *machine ip* because it doesn't contain any IP SANs

BlueNick · August 20, 2021, 10:33am

I've found a solution, the problem is on elasticsearch side.
When you create a certificate for elasticsearch you must specify a SAN (with IP or DNS record name).
I've followed this guide for creating a self signed certificate with SAN specified.

https://andreapavone.com/2021/02/self-signed-ssl-certificate-custom-root-ca/

When you create the SAN file configuration you can specify DNS.x or IP.x where x is the number of SAN record

Best regards
Nick

ZeLAxyz · August 20, 2021, 12:11pm

Hi Nick,
Thanks for your solution. A well-formed certificate together with customized certificate-authorities would fullfill the requirment of Fleet Server. But the requirement of a valid certificate still exist. And according to my experience, it is more strict than other components of Elastic Stack. The requirment rise the learning curve for fleet and agent.

Best regards
Roy