Add custom cert troubleshooting page to AutoOps for self-managed docs (#4043)

## Summary

This PR adds a troubleshooting page to explain how to configure Elastic
Agent with a custom SSL certificate. I added a new child page under the
troubleshooting section to avoid overloading that page with info.

Closes elastic/opex-product#666.

Author: wajihaparvez

deploy-manage/monitor/autoops/autoops-sm-custom-certification.md

@@ -0,0 +1,115 @@
+---
+applies_to:
+  deployment:
+    self:
+    ece:
+    eck:
+navigation_title: Configure Elastic agent with custom certificate
+products:
+  - id: cloud-kubernetes
+  - id: cloud-enterprise
+---
+
+# Configure AutoOps {{agent}} with a custom SSL certificate 
+
+{{agent}} might not recognize your SSL certificate if it is signed by a custom or internal Certificate Authority (CA). In this case, {{agent}} will fail to connect your self-managed cluster to AutoOps and you might encounter an error like the following:
+
+```sh
+... x509: certificate signed by unknown authority ...
+```
+
+This error occurs because the machine where you have installed {{agent}} does not trust your custom or internal CA. To fix this error, follow the steps on this page to configure the agent with your custom SSL certificate.
+
+## Add custom certificate path to the `elastic-agent.yml` file
+
+To configure {{agent}} with your custom SSL certificate, add the path to your certificate to the [`elastic-agent.yml`](/reference/fleet/configure-standalone-elastic-agents.md) policy file on the host machine where the agent is installed. 
+
+Complete the following steps:
+
+1. On the host machine, open the `elastic-agent.yml` file. The default location is `/opt/Elastic/Agent/elastic-agent.yml`.
+2. In the `elastic-agent.yml` file, locate the `receivers.metricbeatreceiver.metricbeat.modules` section. 
+3. In this section, there are two modules configured for `autoops_es`, one for metrics and one for templates. \
+  Add the `ss.certificate_authorities` setting to both these modules using one of the following options:
+
+    :::::{tab-set}
+    :group: add-cert-auth-setting-to-module
+
+    ::::{tab-item} Use environment variable (recommended)
+    :sync: env-variable
+
+    We recommend using this method because it's flexible and keeps sensitive paths out of your main configuration.
+
+    Add the following line to both `autoops_es` modules:
+
+    ```yaml
+    ssl.certificate_authorities:
+      - ${env:AUTOOPS_CA_CERT}
+    ```
+    After adding this line to both modules, make sure the` AUTOOPS_CA_CERT` environment variable is set on the host machine and contains the full path to your certificate file (for example: `/etc/ssl/certs/my_internal_ca.crt`).
+    ::::
+
+    ::::{tab-item} Hardcode file path
+    :sync: hardcode-file-path
+
+    Use this method to specify the path directly. This method is often simpler for fixed or test environments.
+
+    Edit the following line with the path to your CA and add it to both `autoops_es` modules:
+
+    ```yaml
+    ssl.certificate_authorities:
+      - "/path/to/your/ca.crt"
+    ```
+    The following codeblock shows what your final configuration should look like when you use the hardcode method.
+
+    ```yaml
+    receivers:
+      metricbeatreceiver:
+        metricbeat:
+          modules:
+            # Metrics
+            - module: autoops_es
+              hosts: ${env:AUTOOPS_ES_URL}
+              period: 10s
+              metricsets:
+                - cat_shards
+                - cluster_health
+                - cluster_settings
+                - license
+                - node_stats
+                - tasks_management
+              # --- ADD THIS LINE ---
+              ssl.certificate_authorities:
+                - "/path/to/your/ca.crt"
+
+            # Templates
+            - module: autoops_es
+              hosts: ${env:AUTOOPS_ES_URL}
+              period: 24h
+              metricsets:
+                - cat_template
+                - component_template
+                - index_template
+              # --- ADD THIS LINE ---
+              ssl.certificate_authorities:
+                - "/path/to/your/ca.crt"
+    ```
+
+    ::::
+
+    :::::
+
+4. Save your changes to the `elastic-agent.yml` file.
+5. Restart {{agent}} so that the new settings can take effect.\
+    In most systemd-based Linux environments, you can use the following command to restart the agent:
+    ```bash
+    sudo systemctl restart elastic-agent
+    ```
+6. Check the agent logs again to confirm that the error is gone and that {{agent}} has successfully connected your self-managed cluster to AutoOps. 
+
+    :::{note}
+    If you encounter the following error in the agent logs, there might be a formatting issue in the `elastic-agent.yml` file.
+    ```sh
+    ... can not convert 'object' into 'string' ... ssl.certificate_authorities ...
+    ```
+    To fix this error, ensure your configuration is correctly formatted. The `ss.certificate_authorities` setting must be a list item (indicated by the `-`) containing one or more strings (the respective path to your certification files).
+    :::

deploy-manage/monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md

@@ -23,6 +23,7 @@ Use this guide to troubleshoot any issues you may encounter.
 * [My cluster was disconnected from {{ecloud}} and I want to reconnect it.](#disconnected-cluster)
 * [After running the installation command, I can't move on to the next steps.](#next-steps)
 * [My organization's firewall may be preventing {{agent}} from collecting and sending metrics.](#firewall)
+* [{{agent}} is failing to connect because it doesn't recognize my SSL certificate.](#custom-cert)
 
 $$$single-cloud-org$$$**I’m trying to create a Cloud organization, but I’m already part of a different one.**
 :   :::{include} /deploy-manage/monitor/_snippets/single-cloud-org.md
@@ -166,6 +167,9 @@ $$$firewall$$$**My organization's firewall may be preventing {{agent}} from coll
     If you are using Docker, you may need to complete this configuration directly via the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
     :::
 
+$$$custom-cert$$$**{{agent}} is failing to connect because it doesn't recognize my SSL certificate.**
+:   If {{agent}} is failing to connect your self-managed cluster to AutoOps because it doesn't recognize your SSL certificate, refer to [](/deploy-manage/monitor/autoops/autoops-sm-custom-certification.md). 
+
 ## Potential errors
 
 The following table shows the errors you might encounter if something goes wrong while you set up and use AutoOps on your clusters.
@@ -184,3 +188,4 @@ The following table shows the errors you might encounter if something goes wrong
 | `VERSION_MISMATCH` | {{es}} version is unsupported | Upgrade your cluster to a [supported version](https://www.elastic.co/support/eol). |
 | `UNKNOWN_ERROR` | Installation failed | {{agent}} couldn't be installed due to an unknown issue. Consult the troubleshooting guide or contact [Elastic support](https://support.elastic.co/) for more help. |
 | | Failed to register Cloud Connected Mode: cluster license type is not supported | The cluster you are trying to connect doesn't have the required license to connect to AutoOps. For more information, refer to the [prerequisites](/deploy-manage/monitor/autoops/cc-connect-self-managed-to-autoops.md#prerequisites). |
+| `x509` | Certificate signed by unknown authority | {{agent}} couldn't connect. SSL certificate signed by unknown authority. |

deploy-manage/toc.yml

@@ -674,6 +674,7 @@ toc:
             children: 
             - file: monitor/autoops/cc-connect-self-managed-to-autoops.md
             - file: monitor/autoops/cc-connect-local-dev-to-autoops.md
+            - file: monitor/autoops/autoops-sm-custom-certification.md
             - file: monitor/autoops/cc-manage-users.md
             - file: monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md
           - file: monitor/autoops/ec-autoops-regions.md