X509: certificate signed by unknown authority + fleet "Set up encryption key" in kibana > fleet

hello i really really need help please creating a fleet server

i have an elasticsearch cluster with 2 nodes (192.168.1.15:9200, 192.168.1.16:9200) and kibana instance 192.168.1.20:5601, and a fleetserver 192.168.1.23:8220
I configured basic security following this: Set up basic security for the Elastic Stack | Elasticsearch Guide [8.14] | Elastic and Set secured HTTPS traffic following this Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.14] | Elastic which means that connections between nodes are encrypted as well as connection between the cluster and kibana or anything else is encrypted and require a certificate (elasticsearch-ca.pem) in my case
and i have generated an ssl certificate for fleet-server using this command /usr/share/elasticsearch/bin/elasticsearch-certutil cert --pem -ca /usr/share/elasticsearch/elastic-stack-ca.p12 -name fleet-server
and ended up with fleet-server.key and fleet-server.crt that i moved to my fleet-server and gave permissions ofc
now I wanted to create a fleet server so I did this configuration
for the output cluster :


and for the fleet server
add fleet server > advanced > created a policy > production deployment mode > added my host name : fleet-server
URL: https://192.168.1.23:8220
and then this command

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.1-linux-x86_64.tar.gz tar xzvf elastic-agent-8.14.1-linux-x86_64.tar.gz cd elastic-agent-8.14.1-linux-x86_64 sudo ./elastic-agent install --url=https://192.168.1.23:8220 \ --fleet-server-es=https://192.168.1.15:9200 \ --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjA4MjY4NTU4Njk6a3pHNmJ2cGhUQy1FT0NyeXdyeC1Pdw \ --fleet-server-policy=fleet-server-policy \ --certificate-authorities= /etc/elastic_certs/elasticsearch-ca.pem \ --fleet-server-es-ca= /etc/elastic_certs/elasticsearch-ca.pem \ --fleet-server-cert= /etc/elastic_certs/fleet-server.crt \ --fleet-server-cert-key= /etc/elastic_certs/fleet-server.key \ --fleet-server-port=8220

here is it again for better visibility:
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.1-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.14.1-linux-x86_64.tar.gz
cd elastic-agent-8.14.1-linux-x86_64
sudo ./elastic-agent install --url=https://192.168.1.23:8220 \ --fleet-server-es=https://192.168.1.15:9200 \ --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjA4MjY4NTU4Njk6a3pHNmJ2cGhUQy1FT0NyeXdyeC1Pdw \ --fleet-server-policy=fleet-server-policy \ --certificate-authorities= /etc/elastic_certs/elasticsearch-ca.pem \ --fleet-server-es-ca= /etc/elastic_certs/elasticsearch-ca.pem \ --fleet-server-cert= /etc/elastic_certs/fleet-server.crt \ --fleet-server-cert-key= /etc/elastic_certs/fleet-server.key \ --fleet-server-port=8220

I get this error x509: certificate signed by unknown authority
what cloud be the mistake ?
please help

Perhaps take a look at

hello stephen thank you for taking the time to answer !

i tried this following the link you sent (adding the insecure flag but I'm still getting the same error :
sudo ./elastic-agent install --url=https://192.168.1.23:8220
--fleet-server-es=https://192.168.1.15:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjA4NjU0MDQzNjE6SE05S0dGUU1RQ1duT1R1S1RXTnM3Zw --insecure
--fleet-server-policy=fleet-server-policy
--certificate-authorities= /etc/elastic_certs/elasticsearch-ca.pem
--fleet-server-es-ca= /etc/elastic_certs/elasticsearch-ca.pem
--fleet-server-cert= /etc/elastic_certs/fleet-server.crt
--fleet-server-cert-key= /etc/elastic_certs/fleet-server.key
--fleet-server-port=8220

x509: certificate signed by unknown authority

is there anything else I can try please ?

I am not sure if this is typos but you have spaces so that is not correct in several places ... the last 3 values

--fleet-server-es-ca= /etc/elastic_certs/elasticsearch-ca.pem
.....................^

Is the fleet server on the same server as elastic and kibana or are the the on different servers

Also are you following the directions here an putting in the correct host name and ip your command in the first post does not.

Also assuming that you followed these instructions carefully

Can you show the entire agent install output please

hello again

thank you so much stephen for pointing me in the right direction
and yup it was the space in the path and adding the flag --insecure after the token

here is the error message before modifications:

root@fleet:~/elastic-agent-8.14.1-linux-x86_64# sudo ./elastic-agent install --url=https://192.168.1.23:8220 \

--fleet-server-es=https://192.168.1.15:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjA4OTgyNzUxNzU6Q3ZMTEFkQlVRR0themNkMDNKSTQ0dw
--fleet-server-policy=fleet-server-policy
--certificate-authorities=/etc/elastic_certs/elasticsearch-ca.pem
--fleet-server-es-ca=/etc/elastic_certs/elasticsearch-ca.pem
--fleet-server-cert=/etc/elastic_certs/fleet-server01.crt
--fleet-server-cert-key=/etc/elastic_certs/fleet-server01.key
--fleet-server-port=8220
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[ ==] Service Started [21s] Elastic Agent successfully installed, starting enrollment.
[=== ] Waiting For Enroll... [23s] {"log.level":"info","@timestamp":"2024-07-13T19:21:59.972Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":480},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
[ =] Waiting For Enroll... [25s] {"log.level":"info","@timestamp":"2024-07-13T19:22:01.980Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":857},"message":"Fleet Server - Starting: spawned pid '4944'","ecs.version":"1.6.0"}
[ =] Waiting For Enroll... [29s] {"log.level":"info","@timestamp":"2024-07-13T19:22:05.985Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":838},"message":"Fleet Server - Running on policy with Fleet Server integration: fleet-server-policy; missing config fleet.agent.id (expected during bootstrap process)","ecs.version":"1.6.0"}
[====] Waiting For Enroll... [30s] {"log.level":"info","@timestamp":"2024-07-13T19:22:06.281Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":517},"message":"Starting enrollment to URL: https://192.168.1.23:8220/","ecs.version":"1.6.0"}
[== ] Waiting For Enroll... [30s] {"log.level":"info","@timestamp":"2024-07-13T19:22:06.530Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":523},"message":"1st enrollment attempt failed, retrying enrolling to URL: https://192.168.1.23:8220/ with exponential backoff (init 1s, max 10s)","ecs.version":"1.6.0"}
Error: fail to enroll: fail to execute request to fleet-server: x509: cannot validate certificate for 192.168.1.23 because it doesn't contain any IP SANs
For help, please see our troubleshooting guide at Troubleshoot common problems | Fleet and Elastic Agent Guide [8.14] | Elastic
[== ] Uninstalled [31s] Error uninstalling. Printing logs
2024-07-13T19:22:06.955Z DEBUG [install] Loaded configuration from /root/elastic-agent-8.14.1-linux-x86_64/elastic-agent.yml
2024-07-13T19:22:06.955Z DEBUG [install] Merged configuration from /root/elastic-agent-8.14.1-linux-x86_64/elastic-agent.yml into result
2024-07-13T19:22:06.955Z DEBUG [install] Merged all configuration files from [/root/elastic-agent-8.14.1-linux-x86_64/elastic-agent.yml], no external input files
2024-07-13T19:22:06.956Z DEBUG [install.composable] Starting controller for composable inputs
2024-07-13T19:22:06.956Z DEBUG [install.composable] Started controller for composable inputs
2024-07-13T19:22:06.956Z DEBUG [install.composable.providers.kubernetes] Kubernetes provider for resource pod skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-07-13T19:22:06.956Z DEBUG [install.composable.providers.kubernetes] Kubernetes provider for resource node skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-07-13T19:22:06.956Z DEBUG [install.composable] Variable state changed for composable inputs; debounce started
2024-07-13T19:22:06.956Z DEBUG [install.composable] kubernetes_secrets provider skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-07-13T19:22:06.956Z DEBUG [install.composable] Kubernetes leaderelection provider skipped, unable to connect: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2024-07-13T19:22:06.956Z INFO [install.composable.providers.docker] Docker provider skipped, unable to connect: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
2024-07-13T19:22:07.056Z DEBUG [install.composable] Computing new variable state for composable inputs
2024-07-13T19:22:07.056Z DEBUG [install.composable] Stopping controller for composable inputs
2024-07-13T19:22:07.158Z DEBUG [install.composable] Stopped controller for composable inputs
Error: enroll command failed for unknown reason: exit status 1
For help, please see our troubleshooting guide at Troubleshoot common problems | Fleet and Elastic Agent Guide [8.14] | Elastic

and this is after the solution:

root@fleet:~/elastic-agent-8.14.1-linux-x86_64# sudo ./elastic-agent install --url=https://192.168.1.23:8220 \

--fleet-server-es=https://192.168.1.15:9200
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MjA4OTk4NzU0NTg6RUdHcWJ3U0xUOFdBUlZiemRCQ3ZZQQ --insecure
--fleet-server-policy=fleet-server-policy
--certificate-authorities=/etc/elastic_certs/elasticsearch-ca.pem
--fleet-server-es-ca=/etc/elastic_certs/elasticsearch-ca.pem
--fleet-server-cert=/etc/elastic_certs/fleet-server01.crt
--fleet-server-cert-key=/etc/elastic_certs/fleet-server01.key
--fleet-server-port=8220
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[ =] Service Started [20s] Elastic Agent successfully installed, starting enrollment.
[=== ] Waiting For Enroll... [22s] {"log.level":"info","@timestamp":"2024-07-13T19:46:54.267Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":480},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
[ =] Waiting For Enroll... [24s] {"log.level":"info","@timestamp":"2024-07-13T19:46:56.282Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":824},"message":"Waiting for Elastic Agent to start Fleet Server","ecs.version":"1.6.0"}
[ =] Waiting For Enroll... [28s] {"log.level":"info","@timestamp":"2024-07-13T19:47:00.289Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":838},"message":"Fleet Server - Running on policy with Fleet Server integration: fleet-server-policy; missing config fleet.agent.id (expected during bootstrap process)","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-07-13T19:47:00.289Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","ecs.version":"1.6.0"}
[ ==] Waiting For Enroll... [29s] {"log.level":"info","@timestamp":"2024-07-13T19:47:00.329Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":517},"message":"Starting enrollment to URL: https://192.168.1.23:8220/","ecs.version":"1.6.0"}
[====] Waiting For Enroll... [29s] {"log.level":"warn","@timestamp":"2024-07-13T19:47:00.566Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","ecs.version":"1.6.0"}
[=== ] Waiting For Enroll... [30s] {"log.level":"info","@timestamp":"2024-07-13T19:47:01.523Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":480},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-07-13T19:47:01.525Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":298},"message":"Successfully triggered restart on running Elastic Agent.","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
[== ] Done [30s]
Elastic Agent has been successfully installed.

one question is whether adding --insecure flag creates a possible vulnerability or not in a production environment ?

an other one is how can I solve the error on this picture please? :

I've red this article Secure saved objects | Kibana Guide [8.14] | Elastic but it seems like it is related to Securing Saved Objects in Kibana should I do something regarding this issue or just ignore it in a production environment please?

Set a GUID do not ignore. It just needs a random 32 byte GUID

Done!

Thank you Stephen

have a good one!