eck部署的fleet-server訪問elasticsearch報錯x509處理方法詳情 - elastic,elasticsearch,bash,eck,fleet-server,集羣,服務器 Cosann 博客

背景

自建K8s集羣使用Helm部署ECK，ECK內部使用自簽證書處理服務間傳輸加密

報錯信息

{"log.level":"error","@timestamp":"2025-12-18T08:10:53.731Z","message":"Error dialing x509: certificate signed by unknown authority","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","server.address":"elasticsearch-es-http.elastic-stack.svc:9200","ecs.version":"1.6.0","log.origin":{"file.line":39,"file.name":"transport/logging.go","function":"github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2"},"network.transport":"tcp","log.logger":"elasticsearch.esclientleg","ecs.version":"1.6.0"}

解決方法

# 提取ES CA證書
kubectl -n elastic-stack get secrets  elasticsearch-es-http-ca-internal -o json | jq -r '.data."tls.crt"' | base64 -d > ecki.crt

# 獲取其 SHA256 指紋
openssl x509 -in ecki.crt -noout -fingerprint -sha256 | awk -F'=' '{print $2}' | tr -d ':'
D195016D2FEB558D2DD08CDCA3D98E1C5B932F3361F7342235FC11654308F178
# 記錄SHA256 指紋

修改Helm配置文件

1. 註釋xpack.fleet.agents.elasticsearch.hosts 2. 添加xpack.fleet.outputs部分配置

eck-kibana:
  enabled: true
  fullnameOverride: kibana
  elasticsearchRef:
    name: elasticsearch
  config:
    #xpack.fleet.agents.elasticsearch.hosts: ["https://elasticsearch-es-http.elastic-stack.svc:9200"]
    xpack.fleet.agents.fleet_server.hosts: ["https://fleet-server-agent-http.elastic-stack.svc:8220"]
    xpack.fleet.outputs:
      - id: fleet-default-output
        name: Default
        type: elasticsearch
        hosts: ["https://elasticsearch-es-http.elastic-stack.svc:9200"]
    # openssl x509 -fingerprint -sha256 -noout -in tls/kibana/elasticsearch-ca.pem (colons removed)
        ca_trusted_fingerprint: D195016D2FEB558D2DD08CDCA3D98E1C5B932F3361F7342235FC11654308F178
        is_default: true
        is_default_monitoring: true

更新elastic-stack

helm upgrade eck-stack-with-fleet elastic/eck-stack  \
	--create-namespace \
	-n elastic-stack \
	-f fleet-agents.yaml

參考：https://discuss.elastic.co/t/error-dialing-x509-certificate-signed-by-unknown-authority-kubernetes-integration/370859/8

Cosann 博客

Cosann 博客

博客 / 詳情

eck部署的fleet-server訪問elasticsearch報錯x509處理方法

背景

報錯信息

解決方法

修改Helm配置文件

更新elastic-stack

發佈評論

Product

Company

Support

Company

博客 / 詳情

eck部署的fleet-server訪問elasticsearch報錯x509處理方法

背景

報錯信息

解決方法

修改Helm配置文件

更新elastic-stack

發佈 評論

發佈評論