Issues with Fleet Server (Elastic Agent Setup) in local Elasticsearch deployment with self signed certificates

Hello,

I'm trying to install Elastic Agent with a local ELK Environment and have no luck because of Fleet Server issues.

Server Info:

  • ELK on version 7.13.1 with self-signed certificates running in Docker containers on x64 Linux
  • Host for Elastic Agent does not seem to matter (tried both Windows / Linux)

I'm trying to add Elastic Agent but Fleet Server just produces all kinds off error messages:

First I simply followed the instructions to add an agent in Kibana

  1. Download Agent with correct Version for the correct OS
  2. Generate token
  3. copy and run the command

sudo ./elastic-agent install -f --fleet-server-es=https://[pc-name]:9200 --fleet-server-service-token=[token]

[timestamp] INFO cmd/enroll_cmd.go:300 Generating self-signed certificate for Fleet Server
[timestamp] INFO cmd/enroll_cmd.go:610 Waiting for Elastic Agent to start Fleet Server
[timestamp] INFO cmd/enroll_cmd.go:643 Fleet Server - Starting
[timestamp] INFO cmd/enroll_cmd.go:643 Fleet Server - Error - x509: certificate is not valid for any names, but wanted to match [pc-name]
[timestamp] INFO cmd/enroll_cmd.go:648 Fleet Server - Error - x509: certificate is not valid for any names, but wanted to match [pc-name]
[timestamp] INFO cmd/enroll_cmd.go:643 Fleet Server - Starting

Since there was a certificate issue I tried to add the parameter "--fleet-server-es-ca=[path-to-elasticsearch-root-ca]" but it entered into a loop of crashes/starts/restarts.
That happened every time I added this parameter to any command.

[timestamp] INFO cmd/enroll_cmd.go:300 Generating self-signed certificate for Fleet Server
[timestamp] INFO cmd/enroll_cmd.go:610 Waiting for Elastic Agent to start Fleet Server
[timestamp] INFO cmd/enroll_cmd.go:643 Fleet Server - Restarting
[timestamp] INFO cmd/enroll_cmd.go:648 Fleet Server - Restarting

Just adding "--insecure" which worked on 7.12.1 before we upgraded this setup to 7.13.1 did not work.
So I created certificates for the client in case that resolved the certificate issue.
The additional parameters "--fleet-server-cert" and "--fleet-server-cert-key" required the "--url" Parameter and documentation mentioned that I would require the "--fleet-server-insecure-http" Parameter

sudo ./elastic-agent install -f --fleet-server-es=https://[pc-name]:9200/ --fleet-server-service-token=[token] --insecure --fleet-server-cert=[server.crt] --fleet-server-cert-key=[server.key] --url=https://[pc-name]:9243/ --fleet-server-insecure-http

[timestamp] INFO cmd/enroll_cmd.go:643 Fleet Server - Starting
[timestamp] INFO cmd/enroll_cmd.go:643 Fleet Server - Error - x509: certificate is not valid for any names, but wanted to match [pc-name]
[timestamp] INFO cmd/enroll_cmd.go:648 Fleet Server - Error - x509: certificate is not valid for any names, but wanted to match [pc-name]

I tried this with different inputs (localhost as address as recommended as an example) and leaving out the "--fleet-server-insecure-http" parameter without a different result.

I hope somebody can help with this rather frustrating problem.

Both in ES Cloud Deployment in AWS where a Fleet Server is automatically proviced and without certificates I had my first Agents running in less than 5 minutes.

Thanks

edit1: just some formatting changes

2 Likes

Hi,

You should create a certificate for whatever [pc-name] is.

Best regards,
Robert

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.