Skip to content

[Elastic-agent] --insecure flag doesn't work as expected #27956

Open
#27969
Open
[Elastic-agent] --insecure flag doesn't work as expected#27956
#27969
Assignees
michalpristas
Labels
Team:Elastic-AgentLabel for the Agent team
@PengYi-Elastic

Description

@PengYi-Elastic
PengYi-Elastic
opened on Sep 16, 2021

Situation:
Elasticsearch cluster has an expired CA certificate. When trying to enroll to the fleet server with --insecure flag, it failed with x509: certificate has expired or is not yet valid

Command used:
elastic-agent enroll --url=https://xxx.xxx.xxx.xxx:8220 -f --fleet-server-es=https://<es_endpoint>:9200 --fleet-server-service-token=**************** --fleet-server-policy=6efe3360-0548-11ec-8dee-7bc78cad0ec2 --certificate-authorities=/etc/elastic-agent/ca.crt --fleet-server-es-ca=/etc/elastic-agent/ca.crt --fleet-server-cert=/etc/elastic-agent/node.crt --fleet-server-cert-key=/etc/elastic-agent/node.key --insecure

fleet.yml that is generated from the above command:

fleet:
  enabled: true
  access_api_key: ""
  protocol: http
  host: localhost:5601
  timeout: 10m0s
  proxy_disable: true
  reporting:
    threshold: 10000
    check_frequency_sec: 30
  agent:
    id: ""
  server:
    bootstrap: true
    policy:
      id: 6efe3360-0548-11ec-8dee-7bc78cad0ec2
    output:
      elasticsearch:
        protocol: https
        hosts:
        - elastic.cicau.net:9200
        service_token: ****************
        ssl:
          verification_mode: full
          certificate_authorities:
          - /etc/elastic-agent/ca.crt
          renegotiation: never
        proxy_disabled: false
        proxy_headers: {}
    host: 0.0.0.0
    port: 8220
    ssl:
      verification_mode: full
      certificate: /etc/elastic-agent/node.crt
      key: /etc/elastic-agent/node.key
      renegotiation: never

Logs of fleet server and elastic-agent:
fleet-server-json.log
elastic-agent-json.log

I could see the following errors in the log.

fleet server log

{"log.level":"info","service.name":"fleet-server","status":"FAILED","@timestamp":"2021-09-14T06:21:37.095Z","message":"Error - x509: certificate has expired or is not yet valid: current time 2021-09-14T16:21:37+10:00 is after 2021-02-17T23:52:34Z"}
{"log.level":"error","service.name":"fleet-server","error.message":"x509: certificate has expired or is not yet valid: current time 2021-09-14T16:21:37+10:00 is after 2021-02-17T23:52:34Z","@timestamp":"2021-09-14T06:21:37.095Z","message":"Fleet Server failed"}

elastic-agent log

{"log.level":"error","@timestamp":"2021-09-14T06:21:37.566Z","log.origin":{"file.name":"log/reporter.go","file.line":36},"message":"2021-09-14T16:21:37+10:00 - message: Application: fleet-server--7.14.0[]: State changed to FAILED: Error - x509: certificate has expired or is not yet valid: current time 2021-09-14T16:21:37+10:00 is after 2021-02-17T23:52:34Z - type: 'ERROR' - sub_type: 'FAILED'","ecs.version":"1.6.0"}

It mentioned certificate has expired or is not yet valid. Since CA certificate is expired, so it should be related to it.

From official docs, the following is the usage for --insecure flag:

Allow insecure connections to Fleet Server. This setting is required in the following situations:

When connecting to an HTTP server. The API keys are sent in clear text.
When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the 
certificate is not verified.

https://www.elastic.co/guide/en/fleet/current/elastic-agent-cmd-options.html

So should it work with the --insecure flag even with an expired CA certificate?

Metadata

Metadata

Assignees

Labels

Team:Elastic-AgentLabel for the Agent team

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions