On-premises fleet server install: es bad_certificate

dms6978 · January 13, 2023, 6:59am

I am installing the Fleet server in the on-premises environment.
It's all connected, so fleet server is completed with healthy.
Then, Elasticsearch is sending an warning called bad_certificate.

Is it because I sent http_ca.cert to the Fleet server? Or did I use the cert file wrong?
Please give us your opinion.

sudo ./elastic-agent install -f \
   --url=https://192.0.2.1:8220 \
   --fleet-server-es=https://192.0.2.0:9200 \
   --fleet-server-service-token=<token> \
   --fleet-server-es-ca=/path/to/elasticsearch-ca.crt \ # es http_ca.crt
   --certificate-authorities=/path/to/ca.crt \ # ca.crt
   --fleet-server-cert=/path/to/fleet-server.crt \ # fleet-server.crt
   --fleet-server-cert-key=/path/to/fleet-server.key # fleet-server.key

[2023-01-13T15:44:21,574][WARN ][o.e.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/es:9200, remoteAddress=/fleet:39752}io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at io.netty.codec@4.1.77.Final/io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
	at io.netty.codec@4.1.77.Final/io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)

AndersonQ · January 17, 2023, 2:10pm

Hi,

This usually happens when there is some flaw when generating or assigning the certificates.
Is the CA you used to sign the fleet-server certificate the same ES uses?

Did you follow this and this?

You need first to configure security and generate certificates for the Elastic Stack, to them proceed to configure SSl/TSL for fleet-server.

dms6978 · January 18, 2023, 12:27am

I am using the elasticsearch 8.4.2 version and used config/certs/http_ca.cert as "elasticsearch-ca.cert".

Just in case, I tried to convert http.p12 to elasticsearch-ca.cert and use it, but elasticsearch is sending the same warning.

system · February 15, 2023, 12:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Caught exception while handling client http traffic, closing connection Elasticsearch fleet	2	1349	May 21, 2024
Certificate error occurred when installing the fleet server Beats fleet	47	2438	January 31, 2023
Fleet Server x509 Error (GODEBUG=x509ignoreCN=0) Beats fleet , elastic-agent	5	2120	September 27, 2021
Fleet server installation issue with TLS and certificates Elastic Agent fleet	0	57	October 29, 2024
Fleet server and agents unable to write data to Elasticsearch - Bad Certificate Elasticsearch fleet	2	858	January 17, 2023

On-premises fleet server install: es bad_certificate

Related topics