On-premises fleet server install: es bad_certificate

I am installing the Fleet server in the on-premises environment.
It's all connected, so fleet server is completed with healthy.
Then, Elasticsearch is sending an warning called bad_certificate.

Is it because I sent http_ca.cert to the Fleet server? Or did I use the cert file wrong?
Please give us your opinion.

sudo ./elastic-agent install -f \
   --url= \
   --fleet-server-es= \
   --fleet-server-service-token=<token> \
   --fleet-server-es-ca=/path/to/elasticsearch-ca.crt \ # es http_ca.crt
   --certificate-authorities=/path/to/ca.crt \ # ca.crt
   --fleet-server-cert=/path/to/fleet-server.crt \ # fleet-server.crt
   --fleet-server-cert-key=/path/to/fleet-server.key # fleet-server.key
[2023-01-13T15:44:21,574][WARN ][o.e.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/es:9200, remoteAddress=/fleet:39752}io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at io.netty.codec@4.1.77.Final/io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
	at io.netty.codec@4.1.77.Final/io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.transport@4.1.77.Final/io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)


This usually happens when there is some flaw when generating or assigning the certificates.
Is the CA you used to sign the fleet-server certificate the same ES uses?

Did you follow this and this?

You need first to configure security and generate certificates for the Elastic Stack, to them proceed to configure SSl/TSL for fleet-server.

I am using the elasticsearch 8.4.2 version and used config/certs/http_ca.cert as "elasticsearch-ca.cert".

Just in case, I tried to convert http.p12 to elasticsearch-ca.cert and use it, but elasticsearch is sending the same warning.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.