[self-managed Fleet Server install] insecure flag not taking effect

[kvv2021]

When using the --insecure flag the elastic agent (7.13.2) ignores it.

I am trying to install this agent as a fleet server.

Tested on CentOS 7 and Windows 10.

Here is the command directly from Kibana (7.13.2) but I also added the insecure flag.

sudo ./elastic-agent install -f --fleet-server-es=https://IP:9200 --fleet-server-service-token=TOKENHERE --insecure

Here is the log that came back:

2021-07-14T02:59:07.456Z	INFO	cmd/enroll_cmd.go:648	Fleet Server - Error - x509: cannot validate certificate for 192.168.1.155 because it doesn't contain any IP SANs

• Steps to Reproduce:

sudo ./elastic-agent install -f --fleet-server-es=https://IP:9200 --fleet-server-service-token=TOKENHERE --insecure

I have tested this on Agent version 7.13.0, 7.13.2 and 7.13.3.

[kvv2021]

From what I can tell the insecure flag is for ES over HTTP. I have attempted to use the CA as well with the same error.

sudo ./elastic-agent install -f --fleet-server-es=https://IP:9200 --fleet-server-service-token=TOKENHERE --fleet-server-es-ca=theCA.crt

I have attempted this on Windows 10 as well and it returns back this:

Error: fail to enroll: fail to execute request to fleet-server: 1 error occurred:
	* missing enrollment api key

[almico]

Same here.
We are unable to install the Agent as the Fleet Server, thus the whole infrastructure is unusable.

[GeetikaGopi]

Same here, any potential fix for this?

[bertol83]

@GeetikaGopi are you using 7.13.x? Did you try with 7.14.0?

[EricDavisX]

I wanted to apologize for the delay in response and for the trouble being had. We're aware of a few bugs over the last few versions that are being fixed as fast as we can. It can be time consuming to review the nuances of each environment and usage.

I can open the dialog by asking if you *have to use the --insecure flag at present for any testing you're doing? 7.13.x is not a GA version, and we're excited that 7.14.x (GA supported and its first patch release shipped just now) seems to work much better. The documentation for when to use a given flag when installing a Fleet Server vs when to use it when installing an Agent (to connect to an existing Fleet Server) are challenging words to get laid out for everyone to understand.

[bertol83]

No, we tested it with and without that flag, then we tried passing the CA with the flag --fleet-server-es-ca as well, but not luck so far.
I can test it with 7.14.0.

[massifazio]

Hello,

do we have an update on this one?

Regards

[bertol83]

there is a bug.
We were able to install it with 7.14 using the auto-generated node cert (which works only for 127.0.0.1).
If you have to change the IP, you can do in a second step from kibana.

[massifazio]

thank you for letting me know. I will inform the customer that this needs a fix

[EricDavisX]

We are now tracking this in 2 places, a little harder to coordinate - but Michal was follow up in the linked SDH, I have assigned him here. We can discuss (a potential fix) after we've researched / reviewed more.

Just for sake of possible quicker response, Michal had asked in the SDH:
do they have a hostname available for ES deployment?
when connecting to ES using IP, IP SAN from cert is used instead of hostname defined in CN for validation (this is not behavior of the agent but the runtime itself)

They need to generate cert with CN set to hostname/domain and IP addresses in their alternative names or connect to ES using hostname and this should not require SAN in cert

[pedrosk]

@jsoriano Replicated both with 7.14.0 and 7.14.1 with elasticsearch self generated certs

elastic-agent-7.14.1-linux-x86_64$ sudo ./elastic-agent install -f --fleet-server-es=https://xxx.xxx.xxx.xxx:9200 --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2MzEyMTIxNTAzODE6Qk92VjYxd0dRaE9faWRiOUk3a1hoQQ 
sudo: unable to resolve host node1
2021-09-09T20:02:06.520Z	INFO	cmd/enroll_cmd.go:336	Generating self-signed certificate for Fleet Server
2021-09-09T20:02:08.004Z	INFO	cmd/enroll_cmd.go:683	Fleet Server - Starting
2021-09-09T20:02:09.006Z	INFO	cmd/enroll_cmd.go:683	Fleet Server - Error - x509: cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANs

[michalpristas]

do we know how CN and SANs are set when generating self signed cert?
in case CN=* and SAN is empty and fleet-server-es specified by URI not the hostname it will unfortunately fail.
this is not the cert agent generated for fleet server but the one generated for ES if i understand this correctly and error is coming from Fleet Server to ES communication

[bertol83]

I think the self signed cert is generated with 127.0.0.1 as CN.
Running the following command i was able to install it:
sudo ./elastic-agent install -f --fleet-server-es=https://127.0.0.1:9200 --fleet-server-service-token=TOKEN_FROM_KIBANA --fleet-server-policy=POLICY_ID_FROM_KIBANA -i --fleet-server-es-ca=/path/ca.pem

[blakerouse]

This is a duplicate of elastic/beats#27969 as it's ultimately an issue with Elastic Agent. Closing as I have a PR up for the other issue.

[EricDavisX]

we can leave this closed as a dupe - note it did not make the cut for 7.15 in the end, we are re-doing the fix and will merge it back (to 7.15.x) as possible.