Is there a way to ease installing fleet server to a elasticsearch server secured by self-signed certificate

Elastic Observability
1

Hi,

I just tried installing fleet server to a elasticsearch server secured by self-signed certificate. And I get an error message:

app@fs00:~/elastic-agent-7.14.0-linux-x86_64$ sudo ./elastic-agent install -f --fleet-server-es=https://10.1.26.70:9200 --fleet-server-service-token=......
....
....
cmd/enroll_cmd.go:701 Fleet Server - Error - x509: cannot validate certificate for 10.1.26.70 because it doesn't contain any IP SANs

I know a valid certificate is important for production env. But as I just want to do a POC test, is there a way to bypass this validation? For example, set "none" or "certificate" to certain ssl validation settings.

Thanks!

2

I'm also interested if someone can helps!

Thanks a lot!

3

Hi there,

Just add --insecure to the command line, see How to deploy an elastic-agent in fleet against an elasticsearch with a self-signed certificate? where I described a further obstacle.

Best regards
Robert

4

Thanks for your reply. I have tried --insecure but failed. As I understand, --insecure is used by agent to bypass the verification of the self-signed certs used by fleet server. It does not work for the communication between fleet server and elasticsearch. At least it does not work for the IP based access.

Update: I have seen other post mentioned that --insecure is worked for early versions. For 7.14 it seems does not work.

Best regards,
Roy

5

Read the discussion here, it describes how the output settings must be configured in the Fleet settings flyout in Kibana.

6

Thanks for your reply, but this not solve the problem.
My configuration.

fleet settings
fleet settings925×714 49.3 KB

The command for enrolling

elastic-agent enroll --url=https://IP of the machine:9201
-f
--fleet-server-es=https://IP of the machine:9200
--fleet-server-service-token= token
--fleet-server-policy=policy ID
--certificate-authorities= path to CA (of fleet server in pem format)
--fleet-server-es-ca=path to CA (of elasticsearch in pem format)
--fleet-server-cert=path to cert in pem format
--fleet-server-cert-key=path to key in pem format

I've tried also with --insecure flag

But the same error persist Fleet Server - Error - x509: cannot validate certificate for *machine ip* because it doesn't contain any IP SANs

7

I've found a solution, the problem is on elasticsearch side.
When you create a certificate for elasticsearch you must specify a SAN (with IP or DNS record name).
I've followed this guide for creating a self signed certificate with SAN specified.

https://andreapavone.com/2021/02/self-signed-ssl-certificate-custom-root-ca/

When you create the SAN file configuration you can specify DNS.x or IP.x where x is the number of SAN record

Best regards
Nick

8

Hi Nick,
Thanks for your solution. A well-formed certificate together with customized certificate-authorities would fullfill the requirment of Fleet Server. But the requirement of a valid certificate still exist. And according to my experience, it is more strict than other components of Elastic Stack. The requirment rise the learning curve for fleet and agent.

Best regards
Roy