When using ./elastic-agent container, FLEET_CA setting doesn't work if also FLEET_SERVER_ENABLE is set (tested on 7.13.0):
2021-06-17T15:09:27.327Z INFO [api] api/server.go:66 Stats endpoint (/usr/share/elastic-agent/state/data/tmp/elastic-agent.sock) finished: accept unix /usr/share/elastic-agent/state/data/tmp/elastic-agent.sock: use of closed network connection Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
I think it's because FLEET_CA is only taken into account when Fleet Server is disabled:
|
if cfg.FleetServer.Enable { |
The workaround I've used to overcome that was to copy CA to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust, but I feel this shouldn't be necessary.
When using
./elastic-agent container,FLEET_CAsetting doesn't work if alsoFLEET_SERVER_ENABLEis set (tested on7.13.0):2021-06-17T15:09:27.327Z INFO [api] api/server.go:66 Stats endpoint (/usr/share/elastic-agent/state/data/tmp/elastic-agent.sock) finished: accept unix /usr/share/elastic-agent/state/data/tmp/elastic-agent.sock: use of closed network connection Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authorityI think it's because
FLEET_CAis only taken into account when Fleet Server is disabled:beats/x-pack/elastic-agent/pkg/agent/cmd/container.go
Line 339 in 054e224
The workaround I've used to overcome that was to copy CA to
/etc/pki/ca-trust/source/anchors/and runupdate-ca-trust, but I feel this shouldn't be necessary.