X509: certificate signed by unknown authority

AbbysS · March 13, 2023, 2:43pm

Hi everyone,

I'm new on the forum.

I'm little confuse, i try to learn many tutorials on fleet server / agent but i don't know how i can create my own certificate to deploy in production.

I try to learn the ELK tutorial but i think i make a mistake.

my error message is : x509: certificate signed by unknown authority

It appear it's not recommended to use --insecure mode in production, it's why i need your help.

Thanks a lot

stephenb · March 13, 2023, 3:30pm

Hi @AbbysS Welcome to the community.

Take a look here:

You can try to use these flags when you install the fleet server to reference the CAs you created which may solve your issue.

                      [--fleet-server-es-ca <string>]
                      [--fleet-server-es-ca-trusted-fingerprint <string>]

elastic-agent install --fleet-server-es <string>
                      --fleet-server-service-token <string>
                      [--ca-sha256 <string>]
                      [--certificate-authorities <string>]
                      [--delay-enroll]
                      [--fleet-server-cert <string>] 
                      [--fleet-server-cert-key <string>]
                      [--fleet-server-es-ca <string>]
                      [--fleet-server-es-ca-trusted-fingerprint <string>] 
                      [--fleet-server-host <string>]
                      [--fleet-server-insecure-http]
                      [--fleet-server-policy <string>]
                      [--fleet-server-port <uint16>]
                      [--force]
                      [--non-interactive]
                      [--help]
                      [--tag <string>]
                      [--url <string>] 
                      [--fleet-server-es-insecure]
                      [global-flags]

AbbysS · March 13, 2023, 3:32pm

Hi @stephenb ,

The the command i use to install my fleet server :

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.6.2-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.6.2-linux-x86_64.tar.gz
cd elastic-agent-8.6.2-linux-x86_64
sudo ./elastic-agent install --url=https://myIP:8220
--fleet-server-es=https://myIP:9200
--fleet-server-service-token=MYTOKEN
--fleet-server-policy=POLICY
--fleet-server-es-ca-trusted-fingerprint=FINGERPRINT
--certificate-authorities=/cert.crt
--fleet-server-cert=/fleet-cert.crt
--fleet-server-cert-key=/fleet-server.key

But when i want to enroll my agent with the command on "add host" in fleet configuration, on other host, the command bellow stop with error : x509: certificate signed by unknown authority

stephenb · March 13, 2023, 3:42pm

Apologies I am unclear what "add host" means So this is about installing and non-fleet / regular agent?

I think you can copy the CA to the host where the agent is and then use this, I am not sure if that is the Fleet CA or the Elasticsearch CA you could try both.

elastic-agent install --url <string>
                      --enrollment-token <string>
                      [--ca-sha256 <string>] < - This or Below 
                      [--certificate-authorities <string>] <!--- THIS I Think, but this is the CA 
                      [--delay-enroll]
                      [--force]
                      [--non-interactive]
                      [--help]
                      [--insecure ]
                      [--tag <string>]
                      [global-flags]

AbbysS · March 13, 2023, 3:50pm

I think i'm not clear, sorry.

I add my fleet server with quick start parameters.

My first try => I put my informations : Name and https://MYIP:8220
Generate fleet server policy
and install "fleet server to a centralized host"
But when i install i see : "message":"Generating self-signed certificate for Fleet Server"
And when i want to enroll agent into fleet : Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
For help, please see our troubleshooting guide at Troubleshoot common problems | Fleet and Elastic Agent Guide [8.6] | Elastic
Second try => So after i create my own certificates and run the command i show you before to install my fleet server.
But when i try to enroll a new Agent in Fleet with my own certificates, the error is the same.

I don't know where is my mistake.

stephenb · March 13, 2023, 3:58pm

So when you enroll the actual agent are you using this?

And in including BOTH the elasticsearch CA and the Fleet CA?

Otherwise I think you are going to need to use the --insecure

Unless you use Official / Non-Self Managed Certs... perhaps I can try this myself in the next couple days...

elastic-agent install --url <string>
                      --enrollment-token <string>
                      [--ca-sha256 <string>] < - This or Below 
                      [--certificate-authorities <string>] <!--- THIS I Think, but this is the CA 
                      [--delay-enroll]
                      [--force]
                      [--non-interactive]
                      [--help]
                      [--insecure ]
                      [--tag <string>]
                      [global-flags]

stephenb · March 14, 2023, 3:10am

@AbbysS Yeah, I don't this you can do this with self-signed certs... you will need to install public certs or stick with the --insecure method...

I installed everything from scratch with self-signed certs and had to use the --insecure ....

AbbysS · March 14, 2023, 8:47am

Hi,

Thanks for you reply,
actually i'm not sure i use the best way to create elasticsearch CA and Fleet CA.
I try to use this tutorial : Configure SSL/TLS for self-managed Fleet Servers | Fleet and Elastic Agent Guide [8.6] | Elastic

But that don't work fine...

stephenb · March 14, 2023, 1:48pm

I just did this

Took about 5 minutes, I did the quick start method, not advanced

Worked fine it created It's own certs and then I just use the --insecure flag for the agents

system · April 11, 2023, 1:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.