Skip to content

Commit

Permalink
Docs for --fleet-server-es-insecure (elastic#1159)
Browse files Browse the repository at this point in the history
Docs for --fleet-server-es-insecure (elastic#1159)
  • Loading branch information
michalpristas committed Oct 20, 2021
1 parent dcf869b commit 8f09879
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 0 deletions.
16 changes: 16 additions & 0 deletions docs/en/ingest-management/commands.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ elastic-agent enroll --fleet-server-es <string>
[--force]
[--help]
[--url <string>] <2>
[--fleet-server-es-insecure ] <3>
[global-flags]
----
<1> If no `fleet-server-cert*` flags are specified, {agent} auto-generates a
Expand All @@ -100,6 +101,7 @@ the `--insecure` flag.
<2> Required when enrolling in a {fleet-server} with custom certificates. The
URL must match the DNS name used to generate the certificate specified by
`--fleet-server-cert`.
<3> Required when using self-signed certificate on {es} side.

For more information about custom certificates, refer to <<secure-connections>>.

Expand Down Expand Up @@ -133,6 +135,18 @@ specified {es} URL.
`--fleet-server-es-ca <string>`::
Path to certificate authority to use to communicate with {es}.

`--fleet-server-es-insecure`::
Allows fleet server to connect to {es} in the following situations:
+
--
* When connecting to an HTTP server.
* When connecting to an HTTPs server and the certificate chain cannot be
verified. The content is encrypted, but the certificate is not verified.
* When using self-signed certificates.
--
+
When this flag is used the certificate verification is disabled.

`--fleet-server-host <string>`::
{fleet-server} HTTP binding host (overrides the policy).

Expand Down Expand Up @@ -381,6 +395,7 @@ elastic-agent install --fleet-server-es <string>
[--force]
[--help]
[--url <string>] <2>
[--fleet-server-es-insecure ] <3>
[global-flags]
----
<1> If no `fleet-server-cert*` flags are specified, {agent} auto-generates a
Expand All @@ -390,6 +405,7 @@ the `--insecure` flag.
<2> Required when enrolling in a {fleet-server} with custom certificates. The
URL must match the DNS name used to generate the certificate specified by
`--fleet-server-cert`.
<3> Required when using self-signed certificate on {es} side.

For more information about custom certificates, refer to <<secure-connections>>.

Expand Down
13 changes: 13 additions & 0 deletions docs/en/ingest-management/troubleshooting/troubleshooting.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,19 @@ things running for development, but not recommended in a production environment.

For more information, refer to <<secure-connections>>.

[discrete]
[[es-enrollment-certs]]
== {agent} enrollment fails on the host with `x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs` message

To ensure that communication with {es} is encrypted,
{fleet-server} requires {es} to present a signed certificate.

This error occurs when you use self-signed certificates with {es} using IP as a Common Name (CN).
With IP as a CN, {fleet-server} looks into subject alternative names (SANs), which is empty. To work
around this situation, use the `--fleet-server-es-insecure` flag to disable certificate verification.

You will also need to set `ssl.verification_mode: none` in the Output settings in {fleet} and {integrations} UI.

[discrete]
[[agent-enrollment-timeout]]
== {agent} enrollment fails on the host with `Client.Timeout exceeded` message
Expand Down

0 comments on commit 8f09879

Please sign in to comment.