search

elastic / fleet-server

The Fleet server allows managing a fleet of Elastic Agents.
Other
11 stars 81 forks source link

Airgap Artifact Registry - Use CA file for validation #2550

Open defensivedepth opened 1 year ago

defensivedepth commented 1 year ago

Attempting to use the Airgap Artifact Registry for binary downloads (https://www.elastic.co/guide/en/fleet/current/air-gapped.html#host-artifact-registry).

The self-hosted https server is using a self-signed cert / internal CA. When I attempt to upgrade a client, I get the following error:

[root@r temp]# elastic-agent upgrade 8.7.0
Error: Failed trigger upgrade of daemon: failed upgrade of agent binary: 2 errors occurred:
    * package '/opt/Elastic/Agent/data/elastic-agent-913c02/downloads/elastic-agent-8.7.0-linux-x86_64.tar.gz' not found: open /opt/Elastic/Agent/data/elastic-agent-913c02/downloads/elastic-agent-8.7.0-linux-x86_64.tar.gz: no such file or directory
    * fetching package failed: Get "https://x.x.x.x/artifacts/beats/elastic-agent/elastic-agent-8.7.0-linux-x86_64.tar.gz":
    *  x509: certificate signed by unknown authority

There does not appear to be a way to point to a CA file to validate the self-signed cert.

Feature request would be the option to point to a CA file for validation of self-signed certs, just like it is done for Fleet Outputs.

defensivedepth commented 2 months ago

Anything we can do on this to move it forward?