x509: certificate signed by unknown authority about elastic-stack-docker-part-two HOT 13 OPEN

just my two cents, if you start the docker-compose project, and you've made an error in your cert config:

• without having to completely remove all your containers,
• you can prune the affected volumes,
• edit your cert related actions in the docker-compose yml
• restart the cluster

from elastic-stack-docker-part-two.

Yeah I was fooled by the indentation in the yaml example for Advanced YAML configuration from Getting started with the Elastic Stack and Docker Compose: Part 2.

ssl:
certificate_authorities:
- |

Should be:

ssl:
  certificate_authorities:
    - |

from elastic-stack-docker-part-two.

Thank you for this great tutorial!
I did not get this working using the suggested method.

I did get it working by directly pointing to the certificate in the YAML config:
ssl.certificate_authorities: ["/certs/ca/ca.crt"]

from elastic-stack-docker-part-two.

Since this was asked directly to me: I did this in the user interface.

from elastic-stack-docker-part-two.

Disregard this issue. In the end it DID turn out to be a formatting error in the certificate yml.

from elastic-stack-docker-part-two.

thanks @olitooni and @ehogeweg!

For any future people following the guide:
Another error source for me were old certs. So, I also removed all es-cluster prefixed docker volumes like es-cluster_certs.

from elastic-stack-docker-part-two.

Yeah I was fooled by the indentation in the yaml example for Advanced YAML configuration from Getting started with the Elastic Stack and Docker Compose: Part 2.

ssl:
certificate_authorities:
- |

Should be:

ssl:
  certificate_authorities:
     - |

Hi Are you sure there must be 5 spaces for the "- |" ?

from elastic-stack-docker-part-two.

Yeah I was fooled by the indentation in the yaml example for Advanced YAML configuration from Getting started with the Elastic Stack and Docker Compose: Part 2.

ssl:
certificate_authorities:
- |

Should be:

ssl:
  certificate_authorities:
     - |

Hi Are you sure there must be 5 spaces for the "- |" ?

Ah sorry. Corrected with another error. Fixed it now.

from elastic-stack-docker-part-two.

thanks @olitooni and @ehogeweg!

For any future people following the guide: Another error source for me were old certs. So, I also removed all es-cluster prefixed docker volumes like es-cluster_certs.

Do I just need to remove the variable "COMPOSE_PROJECT_NAME"? Can you please elaborate a little more on how the prefix affects the certs? Sorry, but for me is not quite clear what you want to transmit

from elastic-stack-docker-part-two.

When settings things up, docker creates volumes for the certs. However, when you mess up and have to create new certificates you first have to remove the old certs volumes otherwise you keep using the old ones and no new ones are generated.

from elastic-stack-docker-part-two.

When settings things up, docker creates volumes for the certs. However, when you mess up and have to create new certificates you first have to remove the old certs volumes otherwise you keep using the old ones and no new ones are generated.

Oh I see. That's why the Fleet Server never "integrates" into Kibana because the ca.crt is not "updated". Thanks!

from elastic-stack-docker-part-two.

ssl.certificate_authorities: ["/certs/ca/ca.crt"]

Very nice!!!

from elastic-stack-docker-part-two.

I am using this setup with STACK_VERSION=8.15.0 and I was getting this error in the logs of the fleet-server:
"message":"no CA certificate matching the fingerprint","component":

To fix this I followed what was discussed here: https://discuss.elastic.co/t/elastic-agent-ca-trusted-fingerprint-does-not-working-but-the-certificate-works/362239/3

The output edit fields that worked to resolve that error:

from elastic-stack-docker-part-two.