Agent stays in 'updating' on self-managed cluster (works when using cloud for stack) #24274
Comments
EricDavisX
added
Team:Elastic-Agent
|
Pinging @elastic/agent (Team:Agent) |
|
Pinging @elastic/fleet (Team:Fleet) |
|
@ph can we follow up? it may be something we want to fix for 7.12 |
|
I want to check if this is actually one of our known issues/ duplicates, actually |
|
@liu-xiao-guo hi - @michalpristas was asking you if... the output definition changed to contain cert definition in fleet? in fleet app theres under settings a section called Elasticsearch output configuration this is the place where ssl config should be place. this is then forwarded to output if you have some logs it would be of great help. as agent state should not be related to output definition so maybe we see 2 issues here [and we need to log the second one separately) |
|
Is there any place talking on how to set it up in the place. I do not know what should be the correct format for filling it up. I have seen the closest discussion at elastic/kibana#73483. However, I still do not have the clue on its format: |
|
Thank Eric for his help. I followed the issue at elastic/kibana#75913. I got the same error as before. ssl.certificate_authorities: ["C:\beats\ca.crt"]
Error log found at C:\Program Files\Elastic\Agent\elastic-agent.log |
|
In 7.11 we use Go 1.14.12, so Agent and Beats are still lenient when it comes to DNSNames. |
|
If we compile a Go application, it actually runs the binary. It should not be related to runtime environment. There is no Go runtime environment. |
|
@liu-xiao-guo Setting the CA in that YAML block in Kibana is only for elasticsearch output. Based on the logs from the issue description you are having communication issues with Agent talking to Kibana, not Agent talking to elasticsearch (at least doesn't seem it can even make it that far; you might still have an issue there). So I we need to focus on the communication of Agent with Kibana. You cannot set the CA to that from the UI. That can only be set during the |
|
@blakerouse Thanks for your reply. My configuration is like: and my command for connecting kibana is: By the way, I have installed the self-created certificate into Windows according to the article at https://newtonpaul.com/how-to-install-elastic-siem-and-elastic-edr/ |
|
Okay I can confirm that this does work with custom CA and certs. I have been able to get Elastic Agent running with self-signed certificates and custom CA. I did hit a few issues that would improve this and need fixing, but nothing stops this from actually working. Going to close this issue as I have it fully working. |
|
Thanks so much @blakerouse . @liu-xiao-guo if you have problems we can research where it isn't documented well enough and add tickets to elastic/observability-docs (if not logged already) to improve it. |
|
@blakerouse I'm doing postmortem review over issues and wanted to ask. @ph @ruflin too, is this a case we can detect better and throw more helpful logs or not? I have it open on my end to check docs to see what can be improved there too. |
|
@EricDavisX It is not something we can really detect from the other-side being that the connection is not being established because something is wrong in the configuration. When I was testing this out, I did a few things wrong and the error messages that either elasticsearch, Kibana, or Elastic Agent returned where rather clear on how it was wrong. We do propagate the lower TLS errors out to log files in the cases that it fails. There is always room for improvement, so maybe I didn't hit a case that wasn't clear. Please file bugs for those so we can provide a good UX in these situations. |
|
This issue on Windows is the article that is linked https://newtonpaul.com/how-to-install-elastic-siem-and-elastic-edr/ only installs the certificate in the Current User scope. The certificate needs to be installed for the entire local machine, so that when the Elastic Agent is running as a service (aka. SYSTEM user) it also has access to the CA. |
|
Installation of the certificate on Windows should be done with |
Using a self-managed 7.11.1 environment a fellow Elastician ( Xiaoguo Liu ) reports he is seeing that the Agent stays in 'updating' and is not sending documents to ES (no logs)
He is using this article as his basis for setup:
https://newtonpaul.com/how-to-install-elastic-siem-and-elastic-edr/
most notably the steps include usage of a self generated certificate for it.
He notes that he tried setting up Elastic on cloud and it worked on his host, so we know the host is ok (or was at one point).
During some slack-based discussion, he notes "I have checked very carefully according to the link https://www.elastic.co/guide/en/fleet/current/fleet-troubleshooting.html. The settings for Elasticsearch and Kibana should be aright."
And is seeing this in the logs on the host:
More details from chat:
Using Windows as the host.
Using the Default policy, and seeing this, before switching it to a policy with Endpoint
The problem happened when I applied to my self managed cluster which ran on my Mac OS machine. I have enabled https for my cluster. In the past, I did it without enabling https, and it was successful. Both Mac and Ubuntu machines are in the same LAN network. They could see each other. I am not sure whether this was due to a self-signed certificate.
==============================
elasticsearch.yml
discovery.type: single-node
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: [ “/etc/elasticsearch/certs/ca/ca.crt” ]
HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: [ “/etc/elasticsearch/certs/ca/ca.crt” ]
==============================
kibana.yml
elasticsearch.hosts: [“https://192.168.0.4:9200”]
elasticsearch.ssl.certificateAuthorities: [“/etc/kibana/certs/ca/ca.crt”]
elasticsearch.ssl.certificate: “/etc/kibana/certs/kibana.crt”
elasticsearch.ssl.key: “/etc/kibana/certs/kibana.key”
These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: “/etc/kibana/certs/kibana.crt”
server.ssl.key: “/etc/kibana/certs/kibana.key”
xpack.fleet.enabled: true
xpack.security.enabled: true
xpack.fleet.agents.tlsCheckDisabled: true
xpack.encryptedSavedObjects.encryptionKey: “something_at_least_32_characters”
elasticsearch.username: “elastic”
elasticsearch.password: “password” (edited)
images:
The text was updated successfully, but these errors were encountered: