Configure AutoOps Elastic Agent with a custom SSL certificate
ECK ECE Self-Managed
Elastic Agent might not recognize your SSL certificate if it is signed by a custom or internal Certificate Authority (CA). In this case, Elastic Agent will fail to connect your self-managed cluster to AutoOps and you might encounter an error like the following:
... x509: certificate signed by unknown authority ... This error occurs because the machine where you have installed Elastic Agent does not trust your custom or internal CA. To fix this error, follow the steps on this page to configure the agent with your custom SSL certificate.
To configure Elastic Agent with your custom SSL certificate, add the path to your certificate to the elastic-agent.yml policy file on the host machine where the agent is installed.
Complete the following steps:
On the host machine, open the
elastic-agent.ymlfile. The default location is/opt/Elastic/Agent/elastic-agent.yml.In the
elastic-agent.ymlfile, locate thereceivers.metricbeatreceiver.metricbeat.modulessection.In this section, there are two modules configured for
autoops_es, one for metrics and one for templates.
Add thess.certificate_authoritiessetting to both these modules using one of the following options:We recommend using this method because it's flexible and keeps sensitive paths out of your main configuration.
Add the following line to both
autoops_esmodules:ssl.certificate_authorities: - ${env:AUTOOPS_CA_CERT}After adding this line to both modules, make sure the
AUTOOPS_CA_CERTenvironment variable is set on the host machine and contains the full path to your certificate file (for example:/etc/ssl/certs/my_internal_ca.crt).Use this method to specify the path directly. This method is often simpler for fixed or test environments.
Edit the following line with the path to your CA and add it to both
autoops_esmodules:ssl.certificate_authorities: - "/path/to/your/ca.crt"The following codeblock shows what your final configuration should look like when you use the hardcode method.
receivers: metricbeatreceiver: metricbeat: modules: # Metrics - module: autoops_es hosts: ${env:AUTOOPS_ES_URL} period: 10s metricsets: - cat_shards - cluster_health - cluster_settings - license - node_stats - tasks_management # --- ADD THIS LINE --- ssl.certificate_authorities: - "/path/to/your/ca.crt" # Templates - module: autoops_es hosts: ${env:AUTOOPS_ES_URL} period: 24h metricsets: - cat_template - component_template - index_template # --- ADD THIS LINE --- ssl.certificate_authorities: - "/path/to/your/ca.crt"Save your changes to the
elastic-agent.ymlfile.Restart Elastic Agent so that the new settings can take effect.
In most systemd-based Linux environments, you can use the following command to restart the agent:sudo systemctl restart elastic-agentCheck the agent logs again to confirm that the error is gone and that Elastic Agent has successfully connected your self-managed cluster to AutoOps.
NoteIf you encounter the following error in the agent logs, there might be a formatting issue in the
elastic-agent.ymlfile.... can not convert 'object' into 'string' ... ssl.certificate_authorities ...To fix this error, ensure your configuration is correctly formatted. The
ss.certificate_authoritiessetting must be a list item (indicated by the-) containing one or more strings (the respective path to your certification files).