Issue enrolling into fleet

Elastic Stack Elastic Agent
1

Hello,

I seem to stumble on the issue of enrolling my agent securely into fleet.
i’ve tried the FAQ where they suggest to install the agent first, and then enroll it into fleet (upgrading the agent to a fleet server with the fleet integration).

I get, depending on which configuration i attempt errors like:

But most of the time I get the puzzling:

"error.message":"dial tcp [::1]:9200: connect: connection refused","
Which is odd, because it attempts to connect to localhost ipv6 address. I’ve explicitly said the enroll/install to a ipv4 LAN ip address:

./elastic-agent enroll --url=https://LAN IP:8220 \
  --fleet-server-es=https://LAN IP:9200 \
  --fleet-server-service-token=<token> \
  --fleet-server-policy=<my-policy-name> \
  --fleet-server-es-ca-trusted-fingerprint=<fingerprint> \
  --certificate-authorities=/root/cert-workies-fleet/fleet-ca.crt \
  --fleet-server-cert=/root/cert-workies-fleet/vloot.crt \
  --fleet-server-cert-key=/root/cert-workies-fleet/vloot.key \
  --fleet-server-port=8220 \

Initially I attempted the full 2-way TLS config, but got the same errors

does anyone know how to fix this?

Thanks

EDIT:

detailed log extract:

{
	"log.level": "warn",
	"@timestamp": "2025-11-16T22:17:03.179Z",
	"message": "Failed Elasticsearch output configuration **test**, using bootstrap values.",
	"component": {
		"binary": "fleet-server",
		"dataset": "elastic_agent.fleet_server",
		"id": "fleet-server-default",
		"type": "fleet-server"
	},
	"log": {
		"source": "fleet-server-default"
	},
	"ecs.version": "1.6.0",
	"service.name": "fleet-server",
	"service.type": "fleet-server",
	"error.message": "dial tcp [::1]:9200: connect: connection refused",
	"output": {
		"Elasticsearch": {
			"Headers": null,
			"Hosts": [
				"localhost:9200"
			],
			"MaxConnPerHost": 128,
			"MaxContentLength": 104857600,
			"MaxRetries": 3,
			"Path": "",
			"Protocol": "https",
			"ProxyDisable": false,
			"ProxyHeaders": {},
			"ProxyURL": "",
			"ServiceToken": "[redacted]",
			"ServiceTokenPath": "",
			"TLS": {
				"CASha256": null,
				"CATrustedFingerprint": "<fingerprint>",
				"CAs": null,
				"Certificate": {
					"Certificate": "/root/cert-workies-fleet/elastiek.crt",
					"Key": "[redacted]",
					"Passphrase": "",
					"PassphrasePath": ""
				},
				"CipherSuites": null,
				"CurveTypes": null,
				"Enabled": null,
				"Renegotiation": "never",
				"VerificationMode": "full",
				"Versions": null
			},
			"Timeout": 90000000000
		},
		"Extra": null
	},
	"ecs.version": "1.6.0"
}

{
	"log.level": "error",
	"@timestamp": "2025-11-16T22:29:05.646Z",
	"message": "failed to fetch elasticsearch version",
	"component": {
		"binary": "fleet-server",
		"dataset": "elastic_agent.fleet_server",
		"id": "fleet-server-default",
		"type": "fleet-server"
	},
	"log": {
		"source": "fleet-server-default"
	},
	"ecs.version": "1.6.0",
	"service.name": "fleet-server",
	"service.type": "fleet-server",
	"error.message": "dial tcp [::1]:9200: connect: connection refused",
	"ecs.version": "1.6.0"
}

{
	"log.origin": {
		"function": "github.com/elastic/elastic-agent/internal/pkg/agent/cmd.waitForFleetServer.func1",
		"file.name": "cmd/enroll_cmd.go",
		"file.line": 844
	},
	"message": "Fleet Server - Error - open : no such file or directory reading <nil>",
	"ecs.version": "1.6.0"
}
2

HI @f4n-1nh1b1t1l

You're leaving out the basics, which are important if you want help.

  1. What version are you on?
  2. How did you install Elasticsearch, Kibana, and Fleet?
  3. Is Fleet working?
  4. Are you using the self-signed certs?
  5. Is the Elastic Agent on the same host as Elasticsearch?
  6. Did you set the correct elasticsearch output url in the fleet settings? (Common Mistake, it defaults to localhost)

Perhaps look at this post about setting the default Elasticsearch and Fleet output:

Next, I would test connectivity from the host where the agent is running to Elasticsearch:

curl -v -k -u elastic https://<elasticip>:9200

What is the result of that?

  • Make sure that works; if not, your Elasticsearch is not reachable.
  • If this does work, set the correct Elasticsearch output in the Fleet Settings. Its default is http://localhost, which could be why you keep seeing the error—this is a common mistake.

Then, install the agent using the install command from Kibana Fleet Add Agent command with the correct URL etc

3

Hello Stephen,

Thanks for the help. I did leave out some crucial details.

to answer your questions:

  1. 8.19.6
  2. Elasticsearch kibana and fleet are running in 3 VMs (vbox). these instances have their own (static) LAN ip address
  3. No, i can install an agent but cannot get it to enroll in fleet. Meaning i cannot add the fleet integration to the agent to upgrade the agent to a fleet server
  4. Yes, i’m using my own self-signed CA and certificates for transport & http layer on elasticsearch. Kibana also uses a self signed certificate.
  5. No the agent/fleet server is (going to) run(ning) on the fleet VM
  6. Yes:

ES-outputpng
ES-outputpng1057×308 15 KB

Curl output:

{
  "name" : "elastiek",
  "cluster_name" : "elastieken",
  "cluster_uuid" : "bxVdLMY9TVWTSExfM-lIsg",
  "version" : {
    "number" : "8.19.6",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "d2c42d91a1eb9e14b1a37c4d87eb2533ec859e2b",
    "build_date" : "2025-10-21T22:05:27.062491219Z",
    "build_snapshot" : false,
    "lucene_version" : "9.12.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

‘elastic-agent enroll’ uses a fleet CA, do i need to add it somewhere to the the Kibana Fleet output section?

4

Hi @f4n-1nh1b1t10n

I do not recommend doing it that way, Install the agent and fleet at the same time...

Are you are following these directions very closely? The do work if followed closely, I have done it myself.

These directions are very specific about the certs and setting the fleet output in the Fleet Settings in Kibana. I would start from the beginning and go step by step.

To encrypt traffic between Elastic Agents, Fleet Server, and Elasticsearch:

  1. Configure Fleet settings. These settings are applied to all Fleet-managed Elastic Agents.

  2. In Kibana, open the main menu, then click Management > Fleet > Settings.

  3. Under Fleet Server hosts, specify the URLs Elastic Agents will use to connect to Fleet Server. For example, https://192.0.2.1:8220, where 192.0.2.1 is the host IP where you will install Fleet Server.

For host settings, use the https protocol. DNS-based names are also allowed.

  1. Under Outputs, search for the default output, then click the Edit icon in the Action column.
  2. In the Hosts field, specify the Elasticsearch URLs where Elastic Agents will send data. For example, https://192.0.2.0:9200.
  3. Specify either a CA certificate or CA fingerprint to connect securely Elasticsearch:
  • If you have a valid HEX encoded SHA-256 CA trusted fingerprint from root CA, specify it in the Elasticsearch CA trusted fingerprint field. To learn more, refer to the Elasticsearch security documentation.

And then further down shows what a complete command looks like, it is "extra complete

From the directory where you extracted Fleet Server, run the install command and specify the certificates to use.

The following command installs Elastic Agent as a service, enrolls it in the Fleet Server policy, and starts the service.

If you’re using DEB or RPM, or already have the Elastic Agent installed, use the enroll command along with the following options, then start the service as described in Start Elastic Agent.

sudo ./elastic-agent install \
   --url=https://192.0.2.1:8220 \
   --fleet-server-es=https://192.0.2.0:9200 \
   --fleet-server-service-token=AAEBAWVsYXm0aWMvZmxlZXQtc2XydmVyL3Rva2VuLTE2MjM4OTAztDU1OTQ6dllfVW1mYnFTVjJwTC2ZQ0EtVnVZQQ \
   --fleet-server-policy=fleet-server-policy \
   --fleet-server-es-ca=/path/to/elasticsearch-ca.crt \
   --certificate-authorities=/path/to/ca.crt \
   --fleet-server-cert=/path/to/fleet-server.crt \
   --fleet-server-cert-key=/path/to/fleet-server.key \
   --fleet-server-port=8220 \
   --elastic-agent-cert=/tmp/fleet-server.crt \
   --elastic-agent-cert-key=/tmp/fleet-server.key \
   --elastic-agent-cert-key-passphrase=/tmp/fleet-server/passphrase-file \
   --fleet-server-es-cert=/tmp/fleet-server.crt \
   --fleet-server-es-cert-key=/tmp/fleet-server.key \
   --fleet-server-client-auth=required

You can substitute in the trusted fringer print in the correct places.
You can

Also when I asked for you to run the curl command ... in the future please show the exact command and ALL the ouput. It is hard enough to debug via topics, provided partial info makes it much harder. (You can anonymize what is needed just be consistent)

I wanted to see the cert output as that is / was important... the -v shows whether the certs match or not...

But why don't you try above... first see how far you get

I would not try that method, install, then enroll, do it all at once as above

There are some diagrams details here as well that might help

5

@stephenb thanks for the feedback!

here is the full output of the curl command:

*   Trying 192.168.0.15:9200...
* Connected to 192.168.0.15 (192.168.0.15) port 9200 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=elastiek
*  start date: Nov 13 20:34:44 2025 GMT
*  expire date: Nov 13 20:34:44 2026 GMT
*  issuer: CN=elastic-ca; C=BE
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* using HTTP/1.x
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: 192.168.0.15:9200
> Authorization: Basic <b64>
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 530
<
{
  "name" : "elastiek",
  "cluster_name" : "elastieken",
  "cluster_uuid" : "bxVdLMY9TVWTSExfM-lIsg",
  "version" : {
    "number" : "8.19.6",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "d2c42d91a1eb9e14b1a37c4d87eb2533ec859e2b",
    "build_date" : "2025-10-21T22:05:27.062491219Z",
    "build_snapshot" : false,
    "lucene_version" : "9.12.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

I will restart this journey for fleet from scratch, i did follow that guide, but maybe something went wrong.

meanwhile, i was wondering if it is reasonable to assume you need different CAs (one for elasticsearch, one for fleet, one for the agents..) or if you can use one CA for all. I’ve seen the latter in this video but i do not know if this would be the “right” approach.

6

You can have 1 CA which is a pretty standard approach.

And again you did not show me the full command so still hard for me to debug

Full command + full output every time! Only way to help

Anyways

It looks like the certificate validation that there is no IP address in your certificate so it may not match ... But I can't tell for sure because you did not show me the full command.

So run the curl without the -k

And show the full command + full output.

I never trust 3rd party instruction especially one that's 2 years old which is ancient in modern technology timelines.

7

@stephenb

here is curl without -k:

root@vloot:~# curl -v -u elastic:$espwd https://192.168.0.15:9200
*   Trying 192.168.0.15:9200...
* Connected to 192.168.0.15 (192.168.0.15) port 9200 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I never trust 3rd party instruction especially one that's 2 years old which is ancient in modern technology timelines.

I will keep that in mind!

EDIT:

after updating the truststore on this FLEET vm…

root@vloot:/etc/certs# curl -v -u elastic:$espwd https://192.168.0.15:9200
*   Trying 192.168.0.15:9200...
* Connected to 192.168.0.15 (192.168.0.15) port 9200 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=elastiek
*  start date: Nov 13 20:34:44 2025 GMT
*  expire date: Nov 13 20:34:44 2026 GMT
*  subjectAltName: host "192.168.0.15" matched cert's IP address!
*  issuer: CN=elastic-ca; C=BE
*  SSL certificate verify ok.
* using HTTP/1.x
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: 192.168.0.15:9200
> Authorization: Basic
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 530
<
{
  "name" : "elastiek",
  "cluster_name" : "elastieken",
  "cluster_uuid" : "bxVdLMY9TVWTSExfM-lIsg",
  "version" : {
    "number" : "8.19.6",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "d2c42d91a1eb9e14b1a37c4d87eb2533ec859e2b",
    "build_date" : "2025-10-21T22:05:27.062491219Z",
    "build_snapshot" : false,
    "lucene_version" : "9.12.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host 192.168.0.15 left intact

EDIT2:
Tried default install method, can’t get anything done now:

./elastic-agent install --url=https://192.168.0.14:8220 \
  --fleet-server-es=https://192.168.0.15:9200 \
  --fleet-server-service-token=token \
  --enrollment-token===token \ #(this is optional, same result if i do not use it)
  --fleet-server-policy=fleet-main-ingestor \
  --fleet-server-es-ca-trusted-fingerprint=<fingerprint> \
  --certificate-authorities=/etc/certs/fleet-ca.crt \
  --fleet-server-cert=/etc/certs/vloot.crt \
  --fleet-server-cert-key=/etc/certs/vloot.key \
  --fleet-server-port=8220
[ ===] Waiting For Enroll...  [2m13s] Error: fleet-server failed: timed out waiting for Fleet Server to start after 2m0s
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.19/fleet-troubleshooting.html
[====] Uninstalled  [2m14s] Error uninstalling. Printing logs
2025-11-18T13:53:00.861Z        DEBUG   [install]       Loaded configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml
2025-11-18T13:53:00.861Z        DEBUG   [install]       Merged configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml into result
2025-11-18T13:53:00.861Z        DEBUG   [install]       Merged all configuration files from [/root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml], no external input files
2025-11-18T13:53:00.927Z        DEBUG   [install]       Loaded configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml
2025-11-18T13:53:00.927Z        DEBUG   [install]       Merged configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml into result
2025-11-18T13:53:00.927Z        DEBUG   [install]       Merged all configuration files from [/root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml], no external input files
2025-11-18T13:53:00.927Z        DEBUG   [install.composable]    Starting controller for composable inputs
2025-11-18T13:53:00.927Z        DEBUG   [install.composable]    Started controller for composable inputs
2025-11-18T13:53:00.927Z        DEBUG   [install.composable]    Computing new variable state for composable inputs
2025-11-18T13:53:00.927Z        DEBUG   [install.composable]    Stopping controller for composable inputs
2025-11-18T13:53:00.927Z        DEBUG   [install.composable]    Stopped controller for composable inputs
Error: enroll command failed for unknown reason: exit status 1
8

I went back even more basic, not creating a fleet policy in KIB beforehand, and now it just works?

root@vloot:~/elastic-agent-8.19.6-linux-x86_64# ./elastic-agent install --url=https://192.168.0.14:8220 \
  --fleet-server-es=https://192.168.0.15:9200 \
  --fleet-server-service-token=token \
  --fleet-server-policy=fleet-server-policy \
  --fleet-server-es-ca=/etc/certs/elastic-ca.crt \
  --certificate-authorities=/etc/certs/fleet-ca.crt \
  --fleet-server-cert=/etc/certs/vloot.crt \
  --fleet-server-cert-key=/etc/certs/vloot.key \
  --fleet-server-port=8220
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[    ] Service Started  [24s] Elastic Agent successfully installed, starting enrollment.
[ ===] Waiting For Enroll...  [27s] {"log.level":"info","@timestamp":"2025-11-18T15:20:37.740+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).daemonReloadWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":499},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
[=   ] Waiting For Enroll...  [29s] {"log.level":"info","@timestamp":"2025-11-18T15:20:39.828+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.waitForFleetServer.func1","file.name":"cmd/enroll_cmd.go","file.line":844},"message":"Fleet Server - Starting: spawned pid '22470'","ecs.version":"1.6.0"}
[=   ] Waiting For Enroll...  [33s] {"log.level":"info","@timestamp":"2025-11-18T15:20:43.832+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.waitForFleetServer.func1","file.name":"cmd/enroll_cmd.go","file.line":825},"message":"Fleet Server - Running on policy with Fleet Server integration: fleet-server-policy; missing config fleet.agent.id (expected during bootstrap process)","ecs.version":"1.6.0"}
[ ===] Waiting For Enroll...  [33s] {"log.level":"info","@timestamp":"2025-11-18T15:20:44.250+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).enrollWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":536},"message":"Starting enrollment to URL: https://192.168.0.14:8220/","ecs.version":"1.6.0"}
[  ==] Waiting For Enroll...  [35s] {"log.level":"info","@timestamp":"2025-11-18T15:20:45.684+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).daemonReloadWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":499},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-11-18T15:20:45.691+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).Execute","file.name":"cmd/enroll_cmd.go","file.line":317},"message":"Successfully triggered restart on running Elastic Agent.","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
[  ==] Done  [35s]
Elastic Agent has been successfully installed.

I do not understand this any longer :dotted_line_face:

It was not a cert issue, but a fleet policy name issue?

9

@f4n-1nh1b1t10n Good....

SO without a policy you just clicked the Add Fleet Server button then... good!

I am not exactly sure why it was not working before you could try to debug...

Yes perhaps your Original Fleet Policy is not correct / had and error, created ebfore you updated the fleet address in the fleet settings etc... or you typo'd the token not sure.

Then steps above should have created a fleet policy ..

You could go properly delete the Agent

Then go to the Fleet Policy and Add Agent and try again...

Or you could just move on. :slight_smile:

Glad you got it working

10

Thanks for the feedback/help!

I’m going to revert my snapshot and try again :sweat_smile:
mainly because i want to enable full 2-way mTLS, i’ll just keep adding parameters to get it to work. Let me know if i should close this thread (since the original issue is now ‘fixed’) ?

11

We don't actually close topics I marked it solved

Let us know what you see, two-way MLS is a bit tougher, but doable and seems like you understand certs so you should be able to do it. Follow the directions very closely

12

@stephenb will do!

The familiar issue returns with my attempt at mTLS install

root@vloot:~/elastic-agent-8.19.6-linux-x86_64# ./elastic-agent install --url=https://192.168.0.14:8220 \
  --fleet-server-es=https://192.168.0.15:9200 \
  --fleet-server-service-token=token\
  --fleet-server-policy=fleet-server-policy \
  --fleet-server-es-ca=/etc/certs/elastic-ca.crt \
  --fleet-server-es-cert=/etc/certs/elastiek.crt \
  --fleet-server-es-cert-key=/etc/certs/elastiek.key \
  --certificate-authorities=/etc/certs/fleet-ca.crt, /etc/certs/agent-ca.crt \
  --fleet-server-cert=/etc/certs/vloot.crt \
  --fleet-server-cert-key=/etc/certs/vloot.key \
  --elastic-agent-cert=/etc/certs/agent.crt \
  --elastic-agent-cert-key=/etc/certs/agent.key \
  --fleet-server-port=8220 \
  --fleet-server-client-auth=required
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[ ===] Service Started  [30s] Elastic Agent successfully installed, starting enrollment.
[=== ] Waiting For Enroll...  [33s] {"log.level":"info","@timestamp":"2025-11-18T17:57:41.383+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).daemonReloadWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":499},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
[  ==] Waiting For Enroll...  [35s] {"log.level":"info","@timestamp":"2025-11-18T17:57:43.447+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.waitForFleetServer.func1","file.name":"cmd/enroll_cmd.go","file.line":844},"message":"Fleet Server - Error - open : no such file or directory reading <nil>","ecs.version":"1.6.0"}
[=== ] Waiting For Enroll...  [2m33s] Error: fleet-server failed: timed out waiting for Fleet Server to start after 2m0s
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.19/fleet-troubleshooting.html
[=   ] Uninstalled  [2m34s] Error uninstalling. Printing logs
[=   ] Uninstalled  [2m34s] 2025-11-18T16:59:41.703Z    DEBUG   [install]       Loaded configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml
2025-11-18T16:59:41.703Z        DEBUG   [install]       Merged configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml into result
2025-11-18T16:59:41.703Z        DEBUG   [install]       Merged all configuration files from [/root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml], no external input files
2025-11-18T16:59:41.774Z        DEBUG   [install]       Loaded configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml
2025-11-18T16:59:41.774Z        DEBUG   [install]       Merged configuration from /root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml into result
2025-11-18T16:59:41.774Z        DEBUG   [install]       Merged all configuration files from [/root/elastic-agent-8.19.6-linux-x86_64/elastic-agent.yml], no external input files
2025-11-18T16:59:41.774Z        DEBUG   [install.composable]    Starting controller for composable inputs
2025-11-18T16:59:41.774Z        DEBUG   [install.composable]    Started controller for composable inputs
2025-11-18T16:59:41.774Z        DEBUG   [install.composable]    Computing new variable state for composable inputs
2025-11-18T16:59:41.774Z        DEBUG   [install.composable]    Stopping controller for composable inputs
2025-11-18T16:59:41.774Z        DEBUG   [install.composable]    Stopped controller for composable inputs
Error: enroll command failed for unknown reason: exit status 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.19/fleet-troubleshooting.html
root@vloot:~/elastic-agent-8.19.6-linux-x86_64#

I cannot explain this error,

"Fleet Server - Error - open : no such file or directory reading <nil>

given that all CAs/certs/keys are present in /etc/certs

root@vloot:~/elastic-agent-8.19.6-linux-x86_64# ls -la /etc/certs/
total 44
drwxr-xr-x  2 root root 4096 Nov 18 17:32 .
drwxr-xr-x 68 root root 4096 Nov 18 17:23 ..
-rw-r--r--  1 root root 1915 Nov 18 17:18 agent-ca.crt
-rw-r--r--  1 root root 1513 Nov 18 17:17 agent.crt
-rw-r--r--  1 root root 1679 Nov 18 17:17 agent.key
-rw-r--r--  1 root root 1915 Nov 15 01:24 elastic-ca.crt
-rw-r--r--  1 root root 1505 Nov 15 02:34 elastiek.crt
-rw-r--r--  1 root root 1675 Nov 15 02:34 elastiek.key
-rw-r--r--  1 root root 1915 Nov 17 13:32 fleet-ca.crt
-rw-r--r--  1 root root 1513 Nov 17 13:08 vloot.crt
-rw-r--r--  1 root root 1675 Nov 17 13:08 vloot.key
root@vloot:~/elastic-agent-8.19.6-linux-x86_64#
13

Hmmm not sure I think perhaps line not formatted properly

Perhaps take the space out... surround with quotes looking for an example

Try with just one... to see then add the other...

Not Sure...

14

holy moly a space. a space did me in!

Thanks for all the help.

root@vloot:~/elastic-agent-8.19.6-linux-x86_64# ./elastic-agent install --url=https://192.168.0.14:8220 \
  --fleet-server-es=https://192.168.0.15:9200 \
  --fleet-server-service-token=token\
  --fleet-server-policy=fleet-server-policy \
  --fleet-server-es-ca=/etc/certs/elastic-ca.crt \
  --fleet-server-es-cert=/etc/certs/elastiek.crt \
  --fleet-server-es-cert-key=/etc/certs/elastiek.key \
  --certificate-authorities=/etc/certs/fleet-ca.crt,/etc/certs/agent-ca.crt \
  --fleet-server-cert=/etc/certs/vloot.crt \
  --fleet-server-cert-key=/etc/certs/vloot.key \
  --elastic-agent-cert=/etc/certs/agent.crt \
  --elastic-agent-cert-key=/etc/certs/agent.key \
  --fleet-server-port=8220 \
  --fleet-server-client-auth=required
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[=   ] Service Started  [30s] Elastic Agent successfully installed, starting enrollment.
[   =] Waiting For Enroll...  [32s] {"log.level":"info","@timestamp":"2025-11-18T18:42:44.009+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).daemonReloadWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":499},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
[=== ] Waiting For Enroll...  [34s] {"log.level":"info","@timestamp":"2025-11-18T18:42:46.084+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.waitForFleetServer.func1","file.name":"cmd/enroll_cmd.go","file.line":844},"message":"Fleet Server - Starting","ecs.version":"1.6.0"}
[=== ] Waiting For Enroll...  [38s] {"log.level":"info","@timestamp":"2025-11-18T18:42:50.085+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.waitForFleetServer.func1","file.name":"cmd/enroll_cmd.go","file.line":825},"message":"Fleet Server - Running on policy with Fleet Server integration: fleet-server-policy; missing config fleet.agent.id (expected during bootstrap process)","ecs.version":"1.6.0"}
[==  ] Waiting For Enroll...  [39s] {"log.level":"info","@timestamp":"2025-11-18T18:42:50.143+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).enrollWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":536},"message":"Starting enrollment to URL: https://192.168.0.14:8220/","ecs.version":"1.6.0"}
[   =] Waiting For Enroll...  [40s] {"log.level":"info","@timestamp":"2025-11-18T18:42:51.252+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).daemonReloadWithBackoff","file.name":"cmd/enroll_cmd.go","file.line":499},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
[   =] Waiting For Enroll...  [40s] {"log.level":"info","@timestamp":"2025-11-18T18:42:51.263+0100","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/cmd.(*enrollCmd).Execute","file.name":"cmd/enroll_cmd.go","file.line":317},"message":"Successfully triggered restart on running Elastic Agent.","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
[  ==] Done  [40s]
Elastic Agent has been successfully installed.
1 Like
15

@f4n-1nh1b1t10n COOL! good job mTLS is not trivial.

We are not the first, nor the last that to be blunted by syntax!

You're welcome!

16

In fairness, the tool did not help him here

The args after ./elastic-agent install are all

--something=value

except when the erroneous space crept in. I would have thought that would actually be a syntax error, and installer would a) do nothing and b) return with some kind of “correct usage” info.

17

it really did not…

but i know you can also give the args in this way:

--fleet-key "value"

so idk if it needs better arg validation?

Or validate the args before the install of the agent?

EDIT:

For the agent part on, let’s assume, a windows device.
Regarding this documentation, more specifically the ssl.certificate config in Fleet outputs:

This certificate will be passed down to all the agents that have this output configured in their policy. This certificate is used by the agent when establishing mTLS to the output.

You may either apply the full certificate, in which case all the agents get the same certificate OR alternatively point to a local directory on the agent where the certificate resides, if the certificates are to be unique per agent.

ssl.certificate_authorities:
  - /path/to/ca
ssl.certificate: /path/to/cert
ssl.key: /path/to/cert_key

How do you specify this if your agents are a mix of windows and unix?
Given that the cert is IP based, how can one cert fit all?
Or is this the fleet cert that needs to be specified here?