Synthetics | failed to verify certificate: x509

Aldair_Barrios · January 25, 2024, 5:32pm

Hello, everyone!

I've been trying for a few weeks to use Elasticsearch synthetic monitors. I'm following the documentation Run Elastic Agent in a container | Fleet and Elastic Agent Guide [8.11] | Elastic to install the elastic-agent-complete, but I always receive the following error:

{"log.level":"error","@timestamp":"2024-01-25T14:40:54.353Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":557},"message":"Unit state changed fleet-server-default (STARTING->FAILED): Error - failed version compatibility check with Elasticsearch: tls: failed to verify certificate: x509: certificate signed by unknown authority","log":{"source":"elastic-agent"},"component":{"id":"fleet-server-default","state":"HEALTHY"},"unit":{"id":"fleet-server-default","type":"output","state":"FAILED","old_state":"STARTING"},"ecs.version":"1.6.0"}

I've tried adding the --insecure flag and various other things, but without success. I'm using a self-signed certificate. I already have other elastic-agents working in the stack; the issue seems to be specifically with elastic-agent-complete via Docker.

**This is my first time using this forum; please let me know if I've done anything wrong.

strawgate · January 26, 2024, 3:45am

I believe the insecure flag should work, not recommended for a production deployment because allows for man in the middle attacks on your infrastructure.

The secure way to set this up is documented here Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.12] | Elastic and involves either 1) using a publicly trusted certificate or one from your enterprise CA or 2) providing the self signed public root to the agent on install or enroll via --certificate-authorities=/path/to/ca.crt

Can you share how you attempted to apply the dash --insecure flag to your container?

Aldair_Barrios · January 30, 2024, 8:29pm

Thanks for the answer William. Well, I tried following Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.12] | Elastic and I still get the same error message. And one of the different ways I passed the --insecure flag was like this:

"sudo docker run -d
  --name=elastic-agent-complete \
  --env FLEET_SERVER_ENABLE = true \
  --env FLEET_SERVER_ELASTICSEARCH_HOST=https://10.xxx.xx.xx:9200\
  --env FLEET_SERVER_SERVICE_TOKEN=eUVXXXXXXXXXXXXXXXXXXXXXXXX
  --env FLEET_SERVER_POLICY_ID=my-policy \
  --env FLEET_SERVER_INSECURE=true\
  -p 8220:8220\
  docker.elastic.co/beats/elastic-agent-complete:8.11.4 "

Maybe the error is in front of me and I can't see it anymore lol

strawgate · January 30, 2024, 9:08pm

Aldair_Barrios:

"sudo docker run -d
  --name=elastic-agent-complete \
  --env FLEET_SERVER_ENABLE = true \
  --env FLEET_SERVER_ELASTICSEARCH_HOST=https://10.xxx.xx.xx:9200\
  --env FLEET_SERVER_SERVICE_TOKEN=eUVXXXXXXXXXXXXXXXXXXXXXXXX
  --env FLEET_SERVER_POLICY_ID=my-policy \
  --env FLEET_SERVER_INSECURE=true\
  -p 8220:8220\
  docker.elastic.co/beats/elastic-agent-complete:8.11.4 "

I'm not super familiar with this area but my guess is: I don't believe FLEET_SERVER_INSECURE is a valid setting. You'll want FLEET_SERVER_INSECURE_HTTP.

If your elasticsearch cluster is using a self-signed cert, you'll also want to provide the ca for the elasticsearch server via FLEET_SERVER_ELASTICSEARCH_CA

system · February 27, 2024, 9:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.