On-premises fleet server install: es bad_certificate

dms6978 · January 13, 2023, 6:59am

I am installing the Fleet server in the on-premises environment.
It's all connected, so fleet server is completed with healthy.
Then, Elasticsearch is sending an warning called bad_certificate.

Is it because I sent http_ca.cert to the Fleet server? Or did I use the cert file wrong?
Please give us your opinion.

sudo ./elastic-agent install -f \
   --url=https://192.0.2.1:8220 \
   --fleet-server-es=https://192.0.2.0:9200 \
   --fleet-server-service-token=<token> \
   --fleet-server-es-ca=/path/to/elasticsearch-ca.crt \ # es http_ca.crt
   --certificate-authorities=/path/to/ca.crt \ # ca.crt
   --fleet-server-cert=/path/to/fleet-server.crt \ # fleet-server.crt
   --fleet-server-cert-key=/path/to/fleet-server.key # fleet-server.key

[2023-01-13T15:44:21,574][WARN ][o.e.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/es:9200, remoteAddress=/fleet:39752}io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at io.netty.codec@4.1.77.Final/io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
	at io.netty.codec@4.1.77.Final/io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)

AndersonQ · January 17, 2023, 2:10pm

Hi,

This usually happens when there is some flaw when generating or assigning the certificates.
Is the CA you used to sign the fleet-server certificate the same ES uses?

Did you follow this and this?

You need first to configure security and generate certificates for the Elastic Stack, to them proceed to configure SSl/TSL for fleet-server.

dms6978 · January 18, 2023, 12:27am

I am using the elasticsearch 8.4.2 version and used config/certs/http_ca.cert as "elasticsearch-ca.cert".

Just in case, I tried to convert http.p12 to elasticsearch-ca.cert and use it, but elasticsearch is sending the same warning.

system · February 15, 2023, 12:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.