-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Saving Agent Policy fails with "Cannot read existing Message Signing Key pair" #176528
Comments
I attempted to use the workaround listed in this issue Following steps were completed successfully
From another incognito window the following ran successfully
The following step resulted in an error message
Message response
After running all the workaround steps, the same "Message Signing Key" error occurred when adding integrations |
Pinging @elastic/fleet (Team:Fleet) |
This sounds quite similar to [removed] @juliaElastic wrote an extensive KB article about this particular error message here, I'll paste the contents This looks like potentially another instance where ECK is involved and there was potentially some kind of implicit key rotation that occurred during installation or upgrade. [removed] has some more details. |
Thank you for responding. I'm getting "Page not Found" for both of the github links. The article at support.elastic.co requires an elastic account, which I do not have. |
Ah apologies I have linked to some private repos - I mistook this for an internal support ticket. Sorry about that. I'll paste the knowledge base article below so it's not behind a login. Issue DescriptionWe have a documented process of rotating kibana SO encryption key: https://www.elastic.co/guide/en/kibana/current/saved-objects-api-rotate-encryption-key.html This can be observed by querying that the EnvironmentSelf-managed deployment. CauseKibana can only decrypt saved objects if the original encryption key is available. WorkaroundNOTE: Before starting this workaround, check if tamper protection is enabled on the Agent policy and whether Elastic Defend integration is used. Check out this guide for more info.
If the original uninstall tokens are not available, raise a support ticket, the security team can help uninstall the affected Endpoints ResolutionTo prevent the issue, follow the guide of key rotation instead of manually changing the If the
ReferencesGuide to rotate encryption key: https://www.elastic.co/guide/en/kibana/current/saved-objects-api-rotate-encryption-key.html |
Thank you! The problem has gone away. |
Kibana version:
8.12.0
Elasticsearch version:
8.12.0
Server OS version:
Ubuntu 20.04.6 LTS
Browser version:
Google Chrome 121.0.6167.160
Browser OS version:
Ubuntu 20.04.6 LTS
Original install method (e.g. download page, yum, from source, etc.):
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html
ECK Deployment. Created CRDs, Operator, Elasicsearch and Kibana from the web page instructions
Describe the bug:
When adding a Prometheus Integration and hitting "Save and continue", the save fails.
"Configuration Error" "Cannot read existing Message Signing Key pair"
I see a new Agent Policy in the Fleet UI, but it doesn't have any integrations.
Steps to reproduce:
Expected behavior:
New Prometheus integration is created
Screenshots (if relevant):
Forbidden by company policy
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context:
Originally I couldn't see the list of integrations, Kibana could not connect to the public elastic package registry. I am using docker to run the Elastic Package registry inside our lab. With this change, I was able to reach the EPR and see the packages
Steps followed
https://www.elastic.co/guide/en/fleet/8.12/air-gapped.html#air-gapped-diy-epr
kibana.yaml change
The text was updated successfully, but these errors were encountered: