Hello guys,
I've been installing fleet with self-managed SSL Certificates following this docs: Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.14] | Elastic
But i find my fleet always updating and then offline with status 'never checked in'
i used this specific commands on the server:
sudo ./elastic-agent install \
--url=https://IP:8220 \
--fleet-server-es=https://IP:9200 \
--fleet-server-service-token=<token> \
--fleet-server-policy=fleet-server-policy \
--fleet-server-es-ca=/etc/elasticsearch/certs/http_ca.crt \
--certificate-authorities=/etc/elasticsearch/certs/ca.crt \
--fleet-server-cert=/etc/elasticsearch/certs/fleet-server.crt \
--fleet-server-cert-key=/etc/elasticsearch/certs/fleet-server.key \
--fleet-server-es-cert=/tmp/fleet-server.crt \
--fleet-server-es-cert-key=/tmp/fleet-server.key \
--elastic-agent-cert=/tmp/fleet-server.crt \
--elastic-agent-cert-key=/tmp/fleet-server.key \
--fleet-server-port=8220 \
--fleet-server-client-auth=required
is it right?
--fleet-server-client-auth=required
is only required if you need mTLS, otherwise it can be removed.
Are you able to provide any logs or a diagnostics bundle from the instance to help with debugging?
Thanks for the insight michel, im using a lot of ways possible including your suggestion. But i still got 'offline' status in my fleet with description "Never checked in".
I've ended up reinstalling the fleet using the quickstart option with this commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.3-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.14.3-linux-x86_64.tar.gz
cd elastic-agent-8.14.3-linux-x86_64
sudo ./elastic-agent install \
--fleet-server-es=https://<ip>:9200 \
--fleet-server-service-token=<token>\
--fleet-server-policy=fleet-server-policy \
--fleet-server-es-ca-trusted-fingerprint=<print> \
--fleet-server-port=8220
My initial problem was my agent can't connect to my fleet because of the self-signed certificate, since the quickstart agent installation only told me to run this commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.3-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.14.3-linux-x86_64.tar.gz
cd elastic-agent-8.14.3-linux-x86_64
sudo ./elastic-agent install \
--url=https://<host>:8220 \
--enrollment-token=<token>
And i found out the self signed certificate in fleet server can be extracted to be used in addition of the agent installation commands as:
--certificate-authorities=/path/to/fleet_ca.crt
For anyone who wonder how to extract it, im using this command:
openssl s_client -connect <fleet-ip>:8220 -showcerts </dev/null 2>/dev/null | awk '/-----BEGIN/,/-----END/' > /tmp/fleet_ca.crt
Copy the fleet_ca.crt to any agent installation vm, then just add the extra commands i told before in agent installation. It works.