Kibana: [Ingest manager] Add support for custom Certificate Authorities, Certificate and Private keys.

Pinging @elastic/ingest-management (Team:Ingest Management)

@nchaulet Added you as the owner of this feature.

@nchaulet We might not have complete design ready that feature in this iteration, lets collaborate with @hbharding to see how we can implements it before having the complete design.

I ran into this when trying to set up against the APM Integration Test env which uses self-signed certs and runs a fully-generated/simulated environment in Docker containers.

To get it to enroll I had to add the --insecure flag, and to get it to run I had to add a line to the generated action_store.yml file:

  outputs:
    default:
      api_key: 7_uoA.....
      hosts:
      - https://elasticsearch:9200
      type: elasticsearch
      ssl.certificate_authorities: ["/home/jamie/Projects/GitRepo/apm-integration-testing/scripts/tls/ca/ca.crt"]

I also had to add an entry to my /etc/hosts to alias elasticsearch because I was running agent outside the docker network-- so a way to do something like --insecure when running would be helpful.

Updating the action_store.yml did not seem to allow the elastic-agent to connect to ElasticSearch. I seem to see errors now at least:

I have this for the output:

outputs: default: api_key: Iu... hosts: - https://192.168.4.79:9200 - https://192.168.5.67:9200 - https://192.168.6.114:9200 type: elasticsearch ssl.certificate_authorities: ["C:\\Program Files\\elastic-agent-7.9.0-windows-x86_64\\ca.crt"] revision: 2

Ha, I stand corrected! I put the wrong CA in, after putting the right CA in, we are good!

Ha, I stand corrected! I put the wrong CA in, after putting the right CA in, we are good!

Let me ask you something, what about the elastic endpoint? Is sending correctly? Coz following your instructions I could not make to work as we get the same certificate problem. Looks like the elastic endpoint is trying to send directly to elasticsearch without the certificate.

That is correct @francescouk , the elastic endpoint doesn't appear to connect to ElasticSearch.

as mentioned in https://discuss.elastic.co/t/ingest-management-use-insecure-elasticsearch-output-managed-in-fleet-mode-for-elastic-agent/246022/10?u=lanopop please dont forget to build in some kind of fail-safe for whenever a certificate expires (this can be ca certificate or client certificate). We had this already happen to us that the ca certificate expired and therefor all the endpoints didnt connect to the manager anymore and had to manually reconfigure all of them to connect again.

I am also having this or a very similar issue. I install and enroll elastic-agent using the --insecure mode but no data appears in datasets(presumably because there's a certificate error connecting to ES I can't see) is there a way to change the fleet config to not verify the ssl?

I think I'm having a similar issue, I've set up Elasticsearch, Kibana, and now Elastic Agent using a self signed certificate, While getting Elastic Agent working I was getting the error that the certificate was signed by an unknown authority when I tried to add the agent to ingest manager. I modified the Elastic Agent fleet.yml to change protocol: http to protocol: https and include the line certificate_authorities: ["/etc/elastic-agent/ca.pem"] under the section ssl which allowed Elastic Agent to connect to Kibana and enroll (wasn't successfully enrolling previously). Now that it's connected, the logs are not being sent. Not sure how also encrypt/send the log data.

don't set the insecure flag or edit the yaml, just put your ca.pem into your client's truststore by copying it to /etc/ssl/certs/ then run update-ca-trust or update-ca-certificates (distro-dependant).

I did what you said. works, thank you. have Elasticsearch, Kibana, and Agent running encrypted all using same cert on one ubuntu machine, will try networking with windows next

I have test it now on windows, it works.
You need also import the certificate as root trusted certificate.