From c28e1a3716b480d394b47514ea53cf92121ca67d Mon Sep 17 00:00:00 2001 From: Michel Laterman <82832767+michel-laterman@users.noreply.github.com> Date: Tue, 25 Apr 2023 10:20:55 -0700 Subject: [PATCH] Add fleet-server secret file docs (#148) * Add fleet-server secret file docs * change file suffix to path where applicable, add example * Add k8s secrets guide and env var descriptions * add instructions for ram disks * use k8s agent provider only for apm * windows file permissions acls * change heading name * Add index ref * David's edits * Apply suggestions from code review Co-authored-by: Karen Metts <35154725+karenzone@users.noreply.github.com> * Clarify ram disk description * Update docs/en/ingest-management/fleet/fleet-server-secrets.asciidoc Co-authored-by: Karen Metts <35154725+karenzone@users.noreply.github.com> --------- Co-authored-by: David Kilfoyle Co-authored-by: Karen Metts <35154725+karenzone@users.noreply.github.com> --- .gitignore | 4 +- docs/en/ingest-management/commands.asciidoc | 20 +- .../env/.container-envs.asciidoc.swp | Bin 16384 -> 0 bytes .../configuration/env/container-envs.asciidoc | 4 + .../configuration/env/shared-env.asciidoc | 26 ++ .../fleet/fleet-server-secrets.asciidoc | 264 ++++++++++++++++++ .../fleet/fleet-server.asciidoc | 9 +- docs/en/ingest-management/index.asciidoc | 2 + .../security/.certificates.asciidoc.swp | Bin 28672 -> 0 bytes .../security/certificates.asciidoc | 7 + 10 files changed, 330 insertions(+), 6 deletions(-) delete mode 100644 docs/en/ingest-management/elastic-agent/configuration/env/.container-envs.asciidoc.swp create mode 100644 docs/en/ingest-management/fleet/fleet-server-secrets.asciidoc delete mode 100644 docs/en/ingest-management/security/.certificates.asciidoc.swp diff --git a/.gitignore b/.gitignore index ddb5a776b..61ffb3376 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,6 @@ html_docs # IDE configuration files .vscode/ -.idea/ \ No newline at end of file +.idea/ + +*.swp diff --git a/docs/en/ingest-management/commands.asciidoc b/docs/en/ingest-management/commands.asciidoc index c10a44bcb..7f787ef2e 100644 --- a/docs/en/ingest-management/commands.asciidoc +++ b/docs/en/ingest-management/commands.asciidoc @@ -149,11 +149,13 @@ To enroll the {agent} in {fleet} and set up {fleet-server}: ---- elastic-agent enroll --fleet-server-es --fleet-server-service-token + [--fleet-server-service-token-path ] [--ca-sha256 ] [--certificate-authorities ] [--delay-enroll] [--fleet-server-cert ] <1> [--fleet-server-cert-key ] + [--fleet-server-cert-key-passphrase ] [--fleet-server-es-ca ] [--fleet-server-es-ca-trusted-fingerprint ] <2> [--fleet-server-es-insecure] @@ -164,7 +166,7 @@ elastic-agent enroll --fleet-server-es [--force] [--non-interactive] [--help] - [--tag ] + [--tag ] [--url ] <3> [global-flags] ---- @@ -207,6 +209,9 @@ Certificate to use for exposed {fleet-server} HTTPS endpoint. `--fleet-server-cert-key `:: Private key to use for exposed {fleet-server} HTTPS endpoint. +`--fleet-server-cert-key-passphrase `:: +Path to passphrase file for decrypting {fleet-server}'s private key if an encrypted private key is used. + `--fleet-server-es `:: Start a {fleet-server} process when {agent} is started, and connect to the specified {es} URL. @@ -247,6 +252,11 @@ Used when starting a self-managed {fleet-server} to allow a specific policy to b `--fleet-server-service-token `:: Service token to use for communication with {es}. +Mutually exclusive with `--fleet-server-service-token-path`. + +`--fleet-server-service-token-path `:: +Service token file to use for communication with {es}. +Mutually exclusive with `--fleet-server-service-token`. `--force`:: Force overwrite of current configuration without prompting for confirmation. @@ -256,7 +266,7 @@ NOTE: If the {agent} is already installed on the host, using `--force` may result in unpredictable behavior with duplicate {agent}s appearing in {fleet}. `--non-interactive`:: -Install {agent} in a non-interactive mode. This flag is helpful when +Install {agent} in a non-interactive mode. This flag is helpful when using automation software or scripted deployments. If {agent} is already installed on the host, the installation will terminate. @@ -473,7 +483,7 @@ elastic-agent install --url [--non-interactive] [--help] [--insecure ] - [--tag ] + [--tag ] [global-flags] ---- @@ -485,11 +495,13 @@ a `fleet-server` process alongside the `elastic-agent` service: elastic-agent install --fleet-server-es --fleet-server-service-token + [--fleet-server-service-token-path ] [--ca-sha256 ] [--certificate-authorities ] [--delay-enroll] [--fleet-server-cert ] <1> [--fleet-server-cert-key ] + [--fleet-server-cert-key-passphrase ] [--fleet-server-es-ca ] [--fleet-server-es-ca-trusted-fingerprint ] <2> [--fleet-server-host ] @@ -499,7 +511,7 @@ elastic-agent install --fleet-server-es [--force] [--non-interactive] [--help] - [--tag ] + [--tag ] [--url ] <3> [--fleet-server-es-insecure] [global-flags] diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/.container-envs.asciidoc.swp b/docs/en/ingest-management/elastic-agent/configuration/env/.container-envs.asciidoc.swp deleted file mode 100644 index b1b545ad3c4f710c773952e2ac8b600cfe98607b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeI2O^g&p6vqn`0TnQq7|}$F1vJ6!nRO9k)}1v99EhwTQHW+;w5F$Krm{U#Q1rU#KeDf_smYuj;04fVnTKJ?a(v* zURC}3z3SK9RUX*AeUv^>7$n$kBIMay&al^BIJM+4j}VV(9yXY7e)_L%RJe8SDQA?q zk4QP;> z$CMVXgMI9|(yxkI6f!NOU*!Iz`9?G0^U%SbDlp{=0dJY+?T%I8Dpz0y*)(|XfDvI` z-&%U}>Rng49(MRv0jq#jz$#!BunJfOtO8bnt4jeLEGExm$cxiqA51?Nb$niv?ypKe z4|V*W?%EHlfK|XMU=^?mSOu&CRspMkRlq7>6|f3e1^$N$uuA;epA4G^0C@l3y#GIk z8~r)(88`u61_!~5;BN5eN<#hsr-25m!KoF5dgcfe<_eo&@VaANcWlLe7Jaz=vQ4>;pT%qu@?(2Ur7c1uMXX<%E0#z6MjE z3OFc&0-)e_uox@?r|0_VU<@E&*hHf*oKL zSP7PcW#Df-tT_+PfN#M85C91_gZsc;U@ce%mV&c5|KEZ4!Evw`;L#8%0TUY!f(4uK zT`#Kep&?agA+MOV7pEm2$EId(kKi$fe8;ZcJE+P9%r4ku)rKd`LgByog9}aFE8Yy0(TGGS~Wj>vW zSE$TV;p1yYXA%X>N*5l^76=*A(*Yk!4M?#_t1@)C!l98b_C}m;-%6FFy3RCJ%^taM zT;}i@%Uz+3$kQV5IMt#7Tj}F?P89^E0oun|E75JSfX)7pu`!$+oFJoWvWjMWoQzcj z2FkTLFY!3@o}FYoj_?(CqmVmwt%Llcr`9eHwKKt|FUhcHqdf}kaC7X#w1`$P027<_-70;n}&H~KVz6T+%iU(T_ZDT zUEa(eggn5tFP?yt$$pjwUQ|Q4;ol5eY@79yivhm7l994A?NQvexxA#|Je!6}+GD3F zh76NaeObYhZ^lTQ%zL`Bb4tD@vNpYhV%D;kSj<|cqw6WGP%GpJq<-35_}V$s^`rEt zEUZEb8eEf_aLNa-?aUO>)ewo}A*L8HQ_qcTGy5Y+2lX`vPmX9Giy(@*zHO1sBQZEKvhOuAe_=WF9u3;#9~wYOm=P~$pBdbIqu zX#`i<&>tBgWOpkMnpbvHHOEO&3uP4Gl$WQ|7^88$PIe)Sx`wW){@b!L6**3$F!Fs9 zm2u_KTA(iW!F`)6R1^1LBg0x~6f)&<$R|g(b<2|BV*4S96)Ck&Y@5&d%tF+}T|(vG z$~zN0$vl7vGWY)jxOaaEnEQX++Q-`$_|NCy7>. + +NOTE: Stand-alone {fleet-server} is under active development. + +[discrete] +== Secret values + +The following secret values may be used when configuring {fleet-server}. + +Note that the configuration fragments shown below are specified either in the UI as part of the output specification or as part of the {fleet-server} integration settings. + +`service_token`:: +The `service_token` is used to communicate with {es}. ++ +It may be specified in the configuration directly as: ++ +[source,yaml] +---- +output.elasticsearch.service_token: my-service-token +---- ++ +Or by a file with: ++ +[source,yaml] +---- +output.elasticsearch.service_token_path: /path/to/token-file +---- ++ +When you are running {fleet-server} under {agent}, you can specify it with either the `--fleet-server-service-token` or the `--fleet-server-service-token-path` flag. +See <> for more details. ++ +If you are <>, you can use the environment variables `FLEET_SERVER_SERVICE_TOKEN` or `FLEET_SERVER_SERVICE_TOKEN_PATH`. + +TLS private key:: +Use the TLS private key to encrypt communications between {fleet-server} and {agent}. +See <> for more details. ++ +Although it is not recommended, you may specify the private key directly in the configuration as: ++ +[source,yaml] +---- +inputs: + - type: fleet-server + ssl.key: | + ----BEGIN CERTIFICATE---- + .... + ----END CERTIFICATE---- +---- ++ +Alternatively, you can provide the path to the private key with the same attribute: ++ +[source,yaml] +---- +inputs: + - type: fleet-server + ssl.key: /path/to/cert.key +---- ++ +When you are running {fleet-server} under {agent}, you can provide the private key path using with the `--fleet-server-cert-key` flag. +See <> for more details. ++ +If you are <>, you can use the environment variable `FLEET_SERVER_CERT_KEY` to specify the private key path. ++ +TLS private key passphrase:: +The private key passphrase is used to decrypt an encrypted private key file. ++ +You can specify the passphrase as a secret file in the configuration with: ++ +[source,yaml] +---- +inputs: + - type: fleet-server + ssl.key_passphrase_path: /path/to/passphrase +---- ++ +When you are running {fleet-server} under {agent}, you can provide the passphrase path using the `--fleet-server-cert-key-passphrase-path` flag. +See <> for more details. ++ +If you are <>, you can use the environment variable `FLEET_SERVER_CERT_KEY_PASSPHRASE` to specify the file path. ++ +APM API Key:: +The APM API Key may be used to gather APM data from {fleet-server}. ++ +You can specify it directly in the instrumentation segment of the configuration: ++ +[source,yaml] +---- +inputs: + - type: fleet-server + instrumentation.api_key: my-apm-api-key +---- ++ +Or by a file with: ++ +[source,yaml] +---- +inputs: + - type: fleet-server + instrumentation.api_key_file: /path/to/apmAPIKey +---- ++ +You may specify the API key by value using the environment variable `ELASTIC_APM_API_KEY`. + +APM secret token:: +The APM secret token may be used to gather APM data from {fleet-server}. ++ +You can specify the secret token directly in the instrumentation segment of the configuration: ++ +[source,yaml] +---- +inputs: + - type: fleet-server + instrumentation.secret_token: my-apm-secret-token +---- ++ +Or by a file with: ++ +[source,yaml] +---- +inputs: + - type: fleet-server + instrumentation.secret_token_file: /path/to/apmSecretToken +---- ++ +You may also specify the token by value using the environment variable `ELASTIC_APM_SECRET_TOKEN`. + +[[secret-files-guide]] +== Secret files guide + +This guide provides step-by-step examples with best practices on how to deploy secret files directly on a host or through the Kubernetes secrets engine. + +[[secret-filesystem]] +=== Secrets on filesystem + +Secret files can be provisioned as plain text files directly on filesystems and referenced or passed through {agent}. + +We recommend these steps to improve security. + +==== File permissions + +File permissions should not allow for global read permissions. + +On MacOS and Linux, you can set file ownership and file permissions with the `chown` and `chmod` commands, respectively. +{fleet-server} runs as the `root` user on MacOS and Linux, so given a file named `mySecret`, you can alter it with: +[source,sh] +---- +sudo chown root:root mySecret # set the user:group to root +sudo chmod 0600 mySecret # set only the read/write permission flags for the user, clear group and global permissions. +---- + +On Windows, you can use `icacls` to alter the ACL list associated with the file: +[source,powershell] +---- +Write-Output -NoNewline SECRET > mySecret # Create the file mySecret with the contents SECRET +icacls .\mySecret /inheritance:d # Remove inherited permissions from file +icacls .\mySecret /remove:g BUILTIN\Administrators # Remove Administrators group permissions +icacls .\mySecret /remove:g $env:UserName # Remove current user's permissions +---- + +==== Temporary filesystem + +You can use a temporary filesystem (in RAM) to hold secret files in order to improve security. +These types of filesystems are normally not included in backups and are cleared if the host is reset. +If used, the filesystem and secret files need to be reprovisioned with every reset. + +On Linux you can use `mount` with the `tmpfs` filesystem to create a temporary filesystem in RAM: +[source,sh] +---- +mount -o size=1G -t tmpfs none /mnt/fleet-server-secrets +---- + +On MacOS you can use a combination of `diskutil` and `hdiutil` to create a RAM disk: +[source,sh] +---- +diskutil erasevolume HFS+ 'RAM Disk' `hdiutil attach -nobrowse -nomount ram://2097152` +---- + +Windows systems do not offer built-in options to create a RAM disk, but several third party programs are available. + +==== Example + +Here is a step by step guide for provisioning a service token on a Linux system: +[source,sh] +---- +sudo mkdir -p /mnt/fleet-server-secrets +sudo mount -o size=1G -t tmpfs none /mnt/fleet-server-secrets +echo -n MY-SERVICE-TOKEN > /mnt/fleet-server-secrets/service-token +sudo chown root:root /mnt/fleet-server-secrets/service-token +sudo chmod 0600 /mnt/fleet-server-secrets/service-token +---- + +NOTE: The `-n` flag is used with `echo` to prevent a newline character from being appended at the end of the secret. Be sure that the secret file does not contain the trailing newline character. + +=== Secrets in containers + +When you are using secret files directly in containers without using Kubernetes or another secrets management solution, you can pass the files into containers by mounting the file or directory. +Provision the file in the same manner as it is in <> and mount it in read-only mode. For example, when using Docker. + +If you are using {agent} image: +[source,sh] +---- +docker run \ + -v /path/to/creds:/creds:ro \ + -e FLEET_SERVER_CERT_KEY_PASSPHRASE=/creds/passphrase \ + -e FLEET_SERVER_SERVICE_TOKEN_PATH=/creds/service-token \ + --rm docker.elastic.co/beats/elastic-agent +---- + +=== Secrets in Kubernetes + +Kubernetes has a https://kubernetes.io/docs/concepts/configuration/secret/[secrets management engine] that can be used to provision secret files to pods. + +For example, you can create the passphrase secret with: +[source,sh] +---- +kubectl create secret generic fleet-server-key-passphrase \ + --from-literal=value=PASSPHRASE +---- + +And create the service token secret with: +[source,sh] +---- +kubectl create secret generic fleet-server-service-token \ + --from-literal=value=SERVICE-TOKEN +---- + +Then include it in the pod specification, for example, when you are running {fleet-server} under {agent}: +[source,yaml] +---- +spec: + volumes: + - name: key-passphrase + secret: + secretName: fleet-server-key-passphrase + - name: service-token + secret: + secretName: fleet-server-service-token + containers: + - name: fleet-server + image: docker.elastic.co/beats/elastic-agent + volumeMounts: + - name: key-passphrase + mountPath: /var/secrets/passphrase + - name: service-token + mountPath: /var/secrets/service-token + env: + - name: FLEET_SERVER_CERT_KEY_PASSPHRASE + value: /var/secrets/passphrase/value + - name: FLEET_SERVER_SERVICE_TOKEN_PATH + value: /var/secrets/service-token/value +---- + +==== {agent} Kubernetes secrets provider + +When you are running {fleet-server} under {agent} in {k8s}, you can use {agent}'s <> to insert a {k8s} secret directly into {fleet-server}'s configuration. +Note that due to how {fleet-server} is bootstrapped only the APM secrets (API key or secret token) can be specified with this provider. + diff --git a/docs/en/ingest-management/fleet/fleet-server.asciidoc b/docs/en/ingest-management/fleet/fleet-server.asciidoc index dfff90d73..5494b33e6 100644 --- a/docs/en/ingest-management/fleet/fleet-server.asciidoc +++ b/docs/en/ingest-management/fleet/fleet-server.asciidoc @@ -8,7 +8,7 @@ yourself. * **No extra setup is required on {ecloud} unless you want to scale your deployment.** {ecloud} runs a hosted version of {integrations-server} that -includes {fleet-server}. +includes {fleet-server}. [discrete] == What is {fleet-server}? @@ -93,3 +93,10 @@ To learn more about adding and scaling {fleet-server}, refer to: * <> * <> + +[discrete] +[[fleet-server-secrets-config]] +== {fleet-server} secrets configuration + +Secrets used to configure {fleet-server} can either be directly specified in configuration or provided through secret files. +See <> for more information. diff --git a/docs/en/ingest-management/index.asciidoc b/docs/en/ingest-management/index.asciidoc index 1b67fcda7..c2c4e31aa 100644 --- a/docs/en/ingest-management/index.asciidoc +++ b/docs/en/ingest-management/index.asciidoc @@ -49,6 +49,8 @@ include::fleet/add-fleet-server-mixed.asciidoc[leveloffset=+3] include::fleet/fleet-server-scaling.asciidoc[leveloffset=+2] +include::fleet/fleet-server-secrets.asciidoc[leveloffset=+2] + include::fleet/fleet-server-monitoring.asciidoc[leveloffset=+2] include::elastic-agent/install-elastic-agent.asciidoc[leveloffset=+1] diff --git a/docs/en/ingest-management/security/.certificates.asciidoc.swp b/docs/en/ingest-management/security/.certificates.asciidoc.swp deleted file mode 100644 index 36cd88bde7331ade7b4b96a3b3afdc87deefeb78..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28672 zcmeHQd5j}jc`veTvMel#Scupt$J@zvGkzUESrX z>Z)?v?%9Dw1QLlANl<`4Akl^-ED>Qjq>z(vCL08cSWuKhL=k}yMT!VXAmWf9zwcF* zyX@(iuw)}eQCa&Nw_R25_}=%v`*~~Ql|qrt##0hrKPE}v{_LN~ne~-BFYG->(q)(1 zE!m(;w|f;erO9DX&%KkY%{K#imVSk^s1o2L_>2EX3gRDiCoik&F#fhQ*jdF zA8sTxqrn|FhOXrXZ*jv-I9zGlxG$k_+tuotf}uHa*-c7N7t!@Je7ESOFdYeg^ny z;4{yYq(^}_06zyj0DSi@N%{`(ZQwn?W5BNiZv!3$egRN`RbT|T8~B$Wk)*!?o(4V* zd-amsy8v3#7Vtd;bG{3F3;1Rb*m-zi zVL_4-307J!=h=4CZ0joPa7N`8CDY~1ZOShG;VheGp{k1q9k#ukj-{riS)J-MY|GXR zmtAbiPV*9L$vsx%tnF}>X@=u+S!HHjG*jie?6{iZaM@OxF-49mwp&FbI%jp$W?qSh z(O`;c7+i5R({Pw;vg_Qr5yxVn@WT-|(iiNa!#TTr*|NFKkDV)5F2$vX%Qp>{p2t|| z&2P2eA}cpFhv7eeiekvPufYv&qq;Rn;8D<}L>@V=?JgEqD(Mu939unzm0;Y(qhQ+1rSm zQ3V&RL7eTI?FV&T%$&#%qSB^ym?-C>`EYOal0>V;=jX+nlL&X_v0L0S8dtY5T1-um zEw_!{As%E}Q5DO8nlT-cBm5wGgdD=|b!7+?=5|bf(Fg7#St4c_ew6kZh(d#nvwRnn zQ9Oxus#&6uc}WNX#cZL}Ol24sm6c&Q!3|#LnxW`zRa~fgLW}OM`rBCWYtRJkMJ_AN zq2&_nYw6%EP)p^OZh}*H!FZfiRl})@p;tAl${dR;TD>RO+>l$~UvyR2V6v*(+;IY7 zI>?l9w$(Oh^|Ahp#bOq3iFZshIhTr$$5ZhndxiK4z0qLoc++&;IQ0-0!|<*ua*PC8 z!jj!)!Zj0$jQ?n!{?oWlVq^FQBEHvv7;<~oa(wQB=P019?NTE!w-vg3428|qMopfOB{(Y9?v&w&O`+p z^A#HbTfwxr;W(Jck>Vs%ECx+XQXp>82NQGgM<}F0%m7`<9>X6X(SQFi-7REvOws#K zg3+9FcfO>#V`7#3LCt&mowhj9M(hp8m6f9#*T#s(P#kFAFAHWJ4ay2eC}tot8os9h z%EAT&SGZEaV%n^E_*nG*ZBgVZwW2Hq=aA=Ffqg?*bugQ zTXQrhS#Y#(yAN?M2;aBbhEAA2zI5gCt+)hoe>>E-50VRBgLhQ<+bfgv<&{jJVRT|vm;>#Sf+t3=J-tZ zAQ-}K8wSZgGOhHwU)BzDLx(8f_81vAg4Z}J+p^)%zGQ214-2sE^Bm}RlZlA&`z<(N zdAB*-{Gf>ddW)6ju@Heldh-9@03Y$6?(qEoApib3`1?D+PXS+jp(On=@Ot1iz#{

(TG?8XN0+OjjWbM3LZf%=$dlGMu>dy zsttD}4lxIXIw;tm%~;QnGk}HgT@qhs(9#U`&V&c;h0!Eo6rZ;o^W@#2j$A)*;l zXw8TNghM9yXVCoz-`?c>2Dgg_`#E3jh_LmxPQ++%tUWw2=mJFU z8Wf%J(*~hun9@Y>jvk~@Vv9mXkmu=5oWx~++Cj|R69WS*M5|bh!7=p=S)>khnHEG^ zE|)j9sr9}~<&i{iTgWl=Mu8v!jRFp0e;_Pvz-#vej3eD@;s|LEM`s6kN~n;a6=tG! z@&TM46hkYf(|QfkQ5D)jL`R0hy9~O_L_ER|SOjb0fYjg@;?KAwS{$P-)$7Yl!NFLS zXY9hzNQcPfMGd?&xMCLxN87X;vZ0-NDvt)^iwH1@zwX|Iku@XEjqegWG$G3oT?m3W zKEDs~9?2}>ka`hN;))OpIWL!_jZn@7lf-2E3d9Tc-?Sq=&cKEcmIXw8c)^76K=Doz z{@DvxcGKZmgw)clRqAck==Y_f1%C|Al{?6|(SS%tLgHg2&<6wKX|>vhI9Tne z50A?RTk$3Tncfwm68d(CvarC=)zAXtwp%M(Xu)&W=1kXyFH;Z-TKBw%Zt*}6qQ)a3 zuDYF8hw8n#2SLWOE{1~IBBgoma|481NT>6e^lru3-)oJ_yTy}(R#!jR+jN!GUQcaR zdTSF~CvvLNUMuHQ#lzy{dO3aS=5~_n<;`hT*XxztWNY78ELRR!I^}HYU~@e0R*cHQ z=H|JbbLS@OVtjrsHBQzA`Tq;>@mm1p|KZk(*Z1(*1suQt#C88#^cGPdqCiA}hyoD> zA__zlh$s+IAfiA-frtVT1tJREjsmwUx~3qlmjFSG+%IIJklavUL_{EBu1&QAYAjrA zD#D?nn2%y|p~~xXqZCvWgP0om|BoTh&X9j6|35gt|55n-9|7J0{07hgPJovIbPnK~ zz?T6HpxXaw;OofmzY};1@Ma(nyac!x_$1o@2=HOxRRHz31pFEL?g3-K2=E|qAMjG( zZs1PfL&*F80q_X$YJlqfYd{$Y>irY=`x5Xx;1j3;cr`E&d;_`v_W?)1%YZK;xBqrv z7kCly6!QAN2xI}O)&E1l1(twIzyrYj00TaQ-2PL*4Ilx;fG;7>|2XhY-~fmLqrgSr zi>Ryk0PudG3fv3)<8wea;4gvC0#5*s0`wB$rrYL%L?S63)KcD@N;rTX#s>0HBJ7T^;FT-=1Y5PAsgZRP!PtII=`2m;C0QL2gr)>&kUjOIUC0(mbh==k zc?DNg3)6Neu$#+gsA76+qc}$IK@zB6;C+^;6A4zXdgWl)4oEbG1A!><5vjxfwZxX6 zj*>(YCrDjU+&f&T8;U53(sM+nQR#^CC(4G?9#&Borl8guk$SN~DId+fg5;ahNGQJY zGu2f;wq6DM1b+sLf(iRs@P6*yL5U)gEMDHpK=UFcjnp1hO_ec<+h(pseE=$*QNX05 zn7p6<50Xwq`%%fyP2acNkUy6~SvCmJfQdxTa)@jETqISFiAf+D@0Va9QR&D3Q4c1P!B~5& zJ~k&rF<$vnj%D*(<-%ein=a?YcjD@(A*(wIYRs1>8#QNd)ZE+JSu15{vZ^{)vrT<(P*oR7~xv^y=j%OPaYOa}4PY?Cdshlk> zCyrXjyO!zBr8})=v%XPQ>dDHMA{seJyR~k;v9VT|I9wgwHfFcy>V?FldYIqQrxz1P z=`HJcNCH@KySBAn>uz-R7mvn`oXikWnMHlHb{bLq|HL@_!NYojG+DC$;sgThQG6 zoFy8uyY++ovDGddo|x11lbt!Oo*kdqJ=|*~O{<~iYtt*o%X1T3%d4I7jeV`vZEn^V zm5#mIU3B>JPFFONC?=*0y~UZ-(c)g)O6I3$%BS2dq*C(9dbgw>k1ijStpjs+sgf*A zZZ*2vCNCvZi)-y}x2et<{@!WiwP3jdo=IzuHEk0AEy-e<4Zw2|718YCEIDW95*{P-GoI-vvsV>bK z2fI_c(!%$STQ_M{6<;sO_F}L3>oucW}LT|ld(s$$HyTkr> zol-8}E9TN3vk|)&bDQ1bVY)*Mlt~xMt2>k(Dp7W*v6-s$)Fr(o@0QTnPNT9kcT&q{ zGV0#e$pNxNVkE^vA-8>)&881m8|e<_-Y8VktGdM$^FY!wc6K25^f} zV?h0J3iVH8^o*S_6&%)rEl%|W@`pp;e=tdAKFtOh9$M zuf!n})~F6ns3!j~mai}a^MlNI33L6<+voC_^29h1&0d zsk4hjj!P)UqXHm~Y5^2jpneD^0jZW`2h{*X;i@R4s#58TYvP!pC=sZkIvXcAK#IUx zinCm4J64maLWmA6`GlbJc%!HQfq_R=`CbLP&jn*_xJJv%qI!0WXLgO`2j)Rtj)3-D zhXorfir@n}!-|ABO1FhU81RLtDJ3jTx_saP?nyrYg$$9VIEhtE(2HoR9h8Y6}~=S-Dw zhsmr(0b1~cI8iIs5?fJ}ABavp2S9xGnI~9j9F9Si8eh0TrzBB@(lp%**T|Hm$`mRx z6z9gkM?v9Lzd%1A5e}a9=Zj-A+>Y5=qe<*(-b2)Z2+b|tZ@PgL^nRgP1P zI?8yw21U&rYe4FmY^2!#wR?6Y7z&kq##y#+oCbDx&_&nkPZv+Ye{T9H7;rpKgQ^42Y*S{O61NQ@8fN%d+ zU<8Z)-x-vIAtIXEwGjp@G$>iMBj50Byj!&tznThF{LRIFJ r3+G1V7Lh#+esU}d&e8t`FC2vRen%)AXBrB-A>). @@ -237,6 +239,11 @@ Certificate to use for the exposed {fleet-server} HTTPS endpoint. `fleet-server-cert-key`:: Private key to use for the exposed {fleet-server} HTTPS endpoint. +Note that additionally an optional passphrase for the private key may be specified with: + +`fleet-server-cert-key-passphrase`:: +Passphrase file used to decrypt {fleet-server}'s private key. + .What happens if you enroll {fleet-server} without specifying certificates? ****