search

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Other
121 stars 131 forks source link

fleet-server: x509: certificate signed by unknown authority #2042

Open ghost opened 1 year ago

ghost commented 1 year ago

es/kibana/es-agent/fleet version: 8.5.3

nginx/pg/docker Integrated registration has this problem.

./elastic-agent install --url=https://10.x.x.x:8220 --enrollment-token=YzVJTGQ0VUJrbXJ5OGJxTmhFYko6Nm9JTU9HrjZSVFdWeHBFWFJrWWpTdr==
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
{"log.level":"info","@timestamp":"2023-01-03T17:53:11.313+0800","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":471},"message":"Starting enrollment to URL: https://10.x.x.x:8220/","ecs.version":"1.6.0"}
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.5/fleet-troubleshooting.html
Error: enroll command failed with exit code: 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.5/fleet-troubleshooting.html
Nathan9745354 commented 1 year ago

Try this command as below :

Add "--insecure" to ./elastic-agent install

./elastic-agent install --insecure --url=https://10.x.x.x:8220 --enrollment-token=YzVJTGQ0VUJrbXJ5OGJxTmhFYko6Nm9JTU9HrjZSVFdWeHBFWFJrWWpTdr==

socinabox commented 1 year ago

Nathan9745354's recommendation of using --insecure worked for me too. May I ask approximately when will this be fixed? say, this year (2023)?

Nathan9745354 commented 1 year ago

Nathan9745354's recommendation of using --insecure worked for me too.

May I ask approximately when will this be fixed? say, this year (2023)?

This is not a bug, once you install fleet server that will generate an cert, because agent recognize the cert not a known cert, for security issue, adversary can insert malicious cert you that, you should generate an cert signed by trust provider like let's encrypt.

Tean commented 1 year ago

I try with --insecure, agent added, but no data can retrive, logs file contains this: {"log.level":"error","@timestamp":"2023-07-17T10:12:40.630Z","message":"Error dialing x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"address":"192.168.0.125:9200","log.logger":"esclientleg","log.origin":{"file.line":38,"file.name":"transport/logging.go"},"service.name":"metricbeat","network":"tcp","ecs.version":"1.6.0","ecs.version":"1.6.0"} Is there have some other params?

Nathan9745354 commented 1 year ago

I try with --insecure, agent added, but no data can retrive, logs file contains this:

`{"log.level":"error","@timestamp":"2023-07-17T10:12:40.630Z","message":"Error dialing x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"address":"192.168.0.125:9200","log.logger":"esclientleg","log.origin":{"file.line":38,"file.name":"transport/logging.go"},"service.name":"metricbeat","network":"tcp","ecs.version":"1.6.0","ecs.version":"1.6.0"}

`

Is there have some other params?

Please post your command in here.

And you added --inseure and can you find fleet server is online? Installed completed?

Tean commented 1 year ago

I try with --insecure, agent added, but no data can retrive, logs file contains this: {"log.level":"error","@timestamp":"2023-07-17T10:12:40.630Z","message":"Error dialing x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"address":"192.168.0.125:9200","log.logger":"esclientleg","log.origin":{"file.line":38,"file.name":"transport/logging.go"},"service.name":"metricbeat","network":"tcp","ecs.version":"1.6.0","ecs.version":"1.6.0"} Is there have some other params?

Please post your command in here.

And you added --inseure and can you find fleet server is online? Installed completed?

This is my command: .\elastic-agent.exe install --url=https://192.168.0.125:8220 --enrollment-token=VlM1aGRvZ0JVcDczcFBpVF95eDk6dkRJNlpzUDdTc2lYcTBRMV9yV0RPUQ== --insecure

I can find agents, but no data 7180C053-753E-4ECD-95C6-496AF34C01EC

elastic-agent-diagnostics-2023-07-18T11-05-11Z-00.zip

After upgrade fleet server version to 8.8.2, I try a new installation command like this, but still have no data: .\elastic-agent.exe install --insecure --fleet-server-es-insecure --url=https://192.168.0.125:8220 --enrollment-token=VlM1aGRvZ0JVcDczcFBpVF95eDk6dkRJNlpzUDdTc2lYcTBRMV9yV0RPUQ==

and there looks like the same error: {"log.level":"info","@timestamp":"2023-07-21T10:31:16.492+0800","message":"Attempting to reconnect to backoff(elasticsearch(https://192.168.0.125:9200)) with 7 reconnect attempt(s)","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"windows/metrics-default","type":"windows/metrics"},"log":{"source":"windows/metrics-default"},"log.origin":{"file.line":139,"file.name":"pipeline/client_worker.go"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"publisher_pipeline_output","ecs.version":"1.6.0"} {"log.level":"error","@timestamp":"2023-07-21T10:31:16.501+0800","message":"Error dialing x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"windows/metrics-default","type":"windows/metrics"},"log":{"source":"windows/metrics-default"},"service.name":"metricbeat","network":"tcp","log.logger":"esclientleg","log.origin":{"file.line":38,"file.name":"transport/logging.go"},"address":"192.168.0.125:9200","ecs.version":"1.6.0","ecs.version":"1.6.0"} {"log.level":"error","@timestamp":"2023-07-21T10:31:23.245+0800","message":"Failed to connect to backoff(elasticsearch(https://192.168.0.125:9200)): Get \"https://192.168.0.125:9200\": x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.origin":{"file.line":148,"file.name":"pipeline/client_worker.go"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"publisher_pipeline_output","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2023-07-21T10:31:23.245+0800","message":"Attempting to reconnect to backoff(elasticsearch(https://192.168.0.125:9200)) with 7 reconnect attempt(s)","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"publisher_pipeline_output","log.origin":{"file.line":139,"file.name":"pipeline/client_worker.go"},"ecs.version":"1.6.0"} {"log.level":"error","@timestamp":"2023-07-21T10:31:23.254+0800","message":"Error dialing x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"esclientleg","log.origin":{"file.line":38,"file.name":"transport/logging.go"},"service.name":"metricbeat","network":"tcp","address":"192.168.0.125:9200","ecs.version":"1.6.0","ecs.version":"1.6.0"}

jsbaeta10 commented 7 months ago

But in my case I use elastic cloud, this certs there are valid certs. Any Ideas please ?

jsbaeta10 commented 7 months ago

In addition I install a manifest daemon on kubernetes (AWS)