From ab8228aea724581db1ba59922448287815cfcfc5 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Mon, 18 Oct 2021 14:50:13 +0200 Subject: [PATCH] Docs for --fleet-server-es-insecure (#1159) Docs for --fleet-server-es-insecure (#1159) --- docs/en/ingest-management/commands.asciidoc | 16 ++++++++++++++++ .../troubleshooting/troubleshooting.asciidoc | 13 +++++++++++++ 2 files changed, 29 insertions(+) diff --git a/docs/en/ingest-management/commands.asciidoc b/docs/en/ingest-management/commands.asciidoc index ebadbbf48f..2f48ff926c 100644 --- a/docs/en/ingest-management/commands.asciidoc +++ b/docs/en/ingest-management/commands.asciidoc @@ -131,6 +131,7 @@ elastic-agent enroll --fleet-server-es [--force] [--help] [--url ] <2> + [--fleet-server-es-insecure ] <3> [global-flags] ---- <1> If no `fleet-server-cert*` flags are specified, {agent} auto-generates a @@ -140,6 +141,7 @@ the `--insecure` flag. <2> Required when enrolling in a {fleet-server} with custom certificates. The URL must match the DNS name used to generate the certificate specified by `--fleet-server-cert`. +<3> Required when using self-signed certificate on {es} side. For more information about custom certificates, refer to <>. @@ -173,6 +175,18 @@ specified {es} URL. `--fleet-server-es-ca `:: Path to certificate authority to use to communicate with {es}. +`--fleet-server-es-insecure`:: +Allows fleet server to connect to {es} in the following situations: ++ +-- +* When connecting to an HTTP server. +* When connecting to an HTTPs server and the certificate chain cannot be +verified. The content is encrypted, but the certificate is not verified. +* When using self-signed certificates. +-- ++ +When this flag is used the certificate verification is disabled. + `--fleet-server-host `:: {fleet-server} HTTP binding host (overrides the policy). @@ -421,6 +435,7 @@ elastic-agent install --fleet-server-es [--force] [--help] [--url ] <2> + [--fleet-server-es-insecure ] <3> [global-flags] ---- <1> If no `fleet-server-cert*` flags are specified, {agent} auto-generates a @@ -430,6 +445,7 @@ the `--insecure` flag. <2> Required when enrolling in a {fleet-server} with custom certificates. The URL must match the DNS name used to generate the certificate specified by `--fleet-server-cert`. +<3> Required when using self-signed certificate on {es} side. For more information about custom certificates, refer to <>. diff --git a/docs/en/ingest-management/troubleshooting/troubleshooting.asciidoc b/docs/en/ingest-management/troubleshooting/troubleshooting.asciidoc index 47113a2009..f392b38cb0 100644 --- a/docs/en/ingest-management/troubleshooting/troubleshooting.asciidoc +++ b/docs/en/ingest-management/troubleshooting/troubleshooting.asciidoc @@ -122,6 +122,19 @@ things running for development, but not recommended in a production environment. For more information, refer to <>. +[discrete] +[[es-enrollment-certs]] +== {agent} enrollment fails on the host with `x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs` message + +To ensure that communication with {es} is encrypted, +{fleet-server} requires {es} to present a signed certificate. + +This error occurs when you use self-signed certificates with {es} using IP as a Common Name (CN). +With IP as a CN, {fleet-server} looks into subject alternative names (SANs), which is empty. To work +around this situation, use the `--fleet-server-es-insecure` flag to disable certificate verification. + +You will also need to set `ssl.verification_mode: none` in the Output settings in {fleet} and {integrations} UI. + [discrete] [[agent-enrollment-timeout]] == {agent} enrollment fails on the host with `Client.Timeout exceeded` message