TL;DR: The endpoint agent can't talk to ES as it doesn't trust the self signed ca cert, despite this being in the trusted root store of the endpoint.
The workaround: The agent requires a path to be defined in the 'outputs' section (right at the end) of the
action_store.yml file that needs to be added as:
ssl.certificate_authorities. However this user added path gets wiped out with each new configuration deployment.
E.g. (I copied the ca cert to the agent folder, but it can live anywhere):
ssl.certificate_authorities: ["C:\\Program Files\\Elastic\\Agent\\elasticsearch-ca.pem"]
The possible bug: There's an 'advanced' config option in the Endpoint Security integration for windows called
windows.advanced.elasticsearch.tls.ca_cert but no matter what I put there (it wants a path to the ca.pem file), this seems to have no impact.
Also - it would be helpful to have this option available in the Elastic Agent integration rather than the Endpoint Security one, as this integration may not be included in a policy. The Agent integration will always be present.
If I've missed a step that tells the Elastic Agent where to find the root ca cert, then do please let me know, as that will also solve this issue.