Trouble Installing Fleet with Self-managed Certificates

Hello guys,

I've been installing fleet with self-managed SSL Certificates following this docs: Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.14] | Elastic

But i find my fleet always updating and then offline with status 'never checked in'

i used this specific commands on the server:

sudo ./elastic-agent install \
  --url=https://IP:8220 \
  --fleet-server-es=https://IP:9200 \
  --fleet-server-service-token=<token> \
  --fleet-server-policy=fleet-server-policy \
  --fleet-server-es-ca=/etc/elasticsearch/certs/http_ca.crt \
  --certificate-authorities=/etc/elasticsearch/certs/ca.crt \
  --fleet-server-cert=/etc/elasticsearch/certs/fleet-server.crt \
  --fleet-server-cert-key=/etc/elasticsearch/certs/fleet-server.key \
  --fleet-server-es-cert=/tmp/fleet-server.crt \
  --fleet-server-es-cert-key=/tmp/fleet-server.key \
  --elastic-agent-cert=/tmp/fleet-server.crt \
  --elastic-agent-cert-key=/tmp/fleet-server.key \
  --fleet-server-port=8220 \
  --fleet-server-client-auth=required

is it right?

--fleet-server-client-auth=required is only required if you need mTLS, otherwise it can be removed.

Are you able to provide any logs or a diagnostics bundle from the instance to help with debugging?

Thanks for the insight michel, im using a lot of ways possible including your suggestion. But i still got 'offline' status in my fleet with description "Never checked in".

I've ended up reinstalling the fleet using the quickstart option with this commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.3-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.14.3-linux-x86_64.tar.gz
cd elastic-agent-8.14.3-linux-x86_64
sudo ./elastic-agent install \
  --fleet-server-es=https://<ip>:9200 \
  --fleet-server-service-token=<token>\
  --fleet-server-policy=fleet-server-policy \
  --fleet-server-es-ca-trusted-fingerprint=<print> \
  --fleet-server-port=8220

My initial problem was my agent can't connect to my fleet because of the self-signed certificate, since the quickstart agent installation only told me to run this commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.3-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.14.3-linux-x86_64.tar.gz
cd elastic-agent-8.14.3-linux-x86_64
sudo ./elastic-agent install \
--url=https://<host>:8220 \
--enrollment-token=<token>

And i found out the self signed certificate in fleet server can be extracted to be used in addition of the agent installation commands as:

--certificate-authorities=/path/to/fleet_ca.crt

For anyone who wonder how to extract it, im using this command:

openssl s_client -connect <fleet-ip>:8220 -showcerts </dev/null 2>/dev/null | awk '/-----BEGIN/,/-----END/' > /tmp/fleet_ca.crt

Copy the fleet_ca.crt to any agent installation vm, then just add the extra commands i told before in agent installation. It works.