Open AndersonQ opened 3 months ago
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)
@AndersonQ which string is being used in this case? If I ran the command you mentioned I get:
openssl x509 -noout -fingerprint -sha256 -in ca-cert.pem
sha256 Fingerprint=CC:69:1A:47:A0:43:78:3A:1A:E0:E4:22:4D:BF:54:D3:45:84:99:5D:C7:6D:B9:96:90:03:6E:70:16:37:18:65
Which contains way more then the actual fingerprint.
Looking at the error it seems the Elastic-Agent passed the value as is and then Fleet Server tried to decode it when connecting to Elasticsearch and then failed because the encoding was not the expected one.
The quickest mitigation seems to be better documenting how to obtain the fingerprint and add examples of valid inputs. In the Beats SSL configuration we have a shell command that turns the output from openssl
into the format we expect. You can look at it here.
I updated the issue with a more complete example.
But it's exactly that, we do not inform on the Elastic Agent docs, at least we do not do on the enroll
help command, the sha256 cannot contain the :
separator. Also even thought the issue actually happens on the Fleet Server side, the users interact with the Elastic Agent and not Fleet Server, therefore as we discussed in the team meeting, I believe we should do our best to make things work as long as the user provide a valid input.
Also, most likely the agent itself has the same problem. If it isn't starting fleet-server, the agent itself will likely present the same behaviour. Therefore we can fix it all on a single place, the Elastic Agent
For confirmed bugs, please report:
Version: 8.14.1, main
Operating System: all
Discuss Forum URL: N/A
Steps to Reproduce:
openssl x509 -noout -fingerprint -sha256 -in ./elasticsearch-8.14.1/config/certs/http_ca.crt
sha256 Fingerprint=D9:60:EC:9B:BB:3D:EF:7B:17:27:35:CD:57:E2:90:BF:4F:7C:97:8A:3D:82:A8:71:68:63:4F:CB:8B:E6:46:20
D9:60:EC:9B:BB:3D:EF:7B:17:27:35:CD:57:E2:90:BF:4F:7C:97:8A:3D:82:A8:71:68:63:4F:CB:8B:E6:46:20
--fleet-server-es-ca-trusted-fingerprint
by the fingerprint obtained usingopenssl
(D9:60:EC:9B:BB:3D:EF:7B:17:27:35:CD:57:E2:90:BF:4F:7C:97:8A:3D:82:A8:71:68:63:4F:CB:8B:E6:46:20
)Fleet Server - Error - failed version compatibility check with elasticsearch: decode 'ca_trusted_fingerprint': encoding/hex: invalid byte: U+003A ':'