X509 certificate signed by unknown authority error, even with --insecure flag

Elastic Stack Elastic Agent
1

Hi,

I am installing the elastic agent with sudo ./elastic-agent install --url=https://<FLEET URL> --enrollment-token=<token> --insecure
In the output of sudo elastic-agent inspect there is

ssl:
    renegotiation: never
    verification_mode: none

but in the output of sudo elastic-agent logs there are errors for Error dialing x509: certificate signed by unknown authority and no data is being ingested from any agents. I thought that adding --insecure would prevent these errors?

This is a brand new Elastic V9 stack on ECE 4.0

2

Full Elastic Agent Errors

{
  "log.level": "error",
  "@timestamp": "2025-04-23T22:37:43.262Z",
  "message": "Failed to connect to backoff(elasticsearch(<fleet>)): Get \"<FLEET URL>\": x509: certificate signed by unknown authority",
  "component": {
    "binary": "filebeat",
    "dataset": "elastic_agent.filebeat",
    "id": "filestream-monitoring",
    "type": "filestream"
  },
  "log": {
    "source": "filestream-monitoring"
  },
  "log.origin": {
    "file.line": 149,
    "file.name": "pipeline/client_worker.go",
    "function": "github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"
  },
  "service.name": "filebeat",
  "ecs.version": "1.6.0",
  "log.logger": "publisher_pipeline_output",
  "ecs.version": "1.6.0"
}

{
  "log.level": "error",
  "@timestamp": "2025-04-23T22:37:43.291Z",
  "message": "Error dialing x509: certificate signed by unknown authority",
  "component": {
    "binary": "filebeat",
    "dataset": "elastic_agent.filebeat",
    "id": "filestream-monitoring",
    "type": "filestream"
  },
  "log": {
    "source": "filestream-monitoring"
  },
  "log.origin": {
    "file.line": 39,
    "file.name": "transport/logging.go",
    "function": "github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2"
  },
  "network.transport": "tcp",
  "server.address": "<FLEET URL>",
  "log.logger": "esclientleg",
  "service.name": "filebeat",
  "ecs.version": "1.6.0",
  "ecs.version": "1.6.0"
}
3

Hi @nmcc1212 Welcome to the community.

What Version of the Stack and Agent?

What integrations are part of the policy?

How did you set up Elasticsearch, Kibana and Fleet?

Did you run

elastic-agent status

Can you share that?

  "message": "Failed to connect to backoff(elasticsearch(<fleet>)): Get \"<FLEET URL>\"

And to be sure that is the Fleet URL and Port because it kind of looks like Elasticsearch meaning it may be the connection to Elasticsearch not Fleet. Agents get Policies from Fleet but send telemetry Directly to Elasticsearch

And that connection information is set as the Outputs In the Fleet Settings

Did you set that up correctly?

Basically you're going to need to include that CA fingerprint if you have a self-signed cert

Elasticsearch CA trusted fingerprint HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the certificate_authorities list and the handshake will continue normally.

To learn more about trusted fingerprints, refer to the Elasticsearch security documentation.

Screenshot 2025-04-23 at 6.26.59 PM
Screenshot 2025-04-23 at 6.26.59 PM3252×1280 304 KB

Screenshot 2025-04-23 at 6.31.35 PM
Screenshot 2025-04-23 at 6.31.35 PM1710×1610 235 KB

4

Hi,
Thanks for this, adding the fingerprint to the output fixed the issue

And going back over the logs i realised this was the elasticsearch URL not the fleet URL

Thanks for your help! :smile:

1 Like