elastic
diff --git a/‎deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md‎
Lines changed: 16 additions & 1 deletion b/‎deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎deploy-manage/monitor/autoops/autoops-sm-custom-certification.md‎
Lines changed: 115 additions & 0 deletions b/‎deploy-manage/monitor/autoops/autoops-sm-custom-certification.md‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎deploy-manage/monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md‎
Lines changed: 5 additions & 0 deletions b/‎deploy-manage/monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎deploy-manage/toc.yml‎
Lines changed: 1 addition & 0 deletions b/‎deploy-manage/toc.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docset.yml‎
Lines changed: 0 additions & 1 deletion b/‎docset.yml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎explore-analyze/discover/discover-get-started.md‎
Lines changed: 1 addition & 1 deletion b/‎explore-analyze/discover/discover-get-started.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎manage-data/ingest/ingest-reference-architectures.md‎
Lines changed: 1 addition & 1 deletion b/‎manage-data/ingest/ingest-reference-architectures.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎manage-data/ingest/tools.md‎
Lines changed: 2 additions & 2 deletions b/‎manage-data/ingest/tools.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎reference/fleet/agent-provider.md‎
Lines changed: 2 additions & 0 deletions b/‎reference/fleet/agent-provider.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎reference/fleet/docker-provider.md‎
Lines changed: 3 additions & 1 deletion b/‎reference/fleet/docker-provider.md‎
Lines changed: 3 additions & 1 deletion
@@ -16,9 +16,9 @@ For versions 2.4.0 and 2.4.1, IPv6 should remain enabled on any host with the Pr
 
 * [Inbound traffic](#ece-inbound)
 * [Outbound traffic](#ece-outbound)
+* [Container communication on the same host](#ece-container-communication-on-same-host)
 * [Hosts in multiple data centers](#ece-multiple-data-centers)
 
-
 ## Inbound traffic [ece-inbound]
 
 When there are multiple hosts for each role, the inbound networking and ports can be represented by the following diagram:
@@ -68,6 +68,21 @@ Outbound traffic must also permit connections to the [snapshot repositories](../
 ::::
 
 
+## Container communication on the same host [ece-container-communication-on-same-host]
+
+The following ports need to be open for containers communicating with the host or with each other on the same host:
+
+| Port(s) | Purpose | Host role |
+| --- | --- | --- |
+| 53 | DNS resolver | All roles |
+| 2180 | ZooKeeper admin port | All roles |
+| 2375 | Docker admin port | All roles |
+| 2191-2199 | Debug ports | Director |
+| 5000-5010 | Java Virtual Machine (JVM)/debug ports | All roles |
+| 8080-8084 | Health/monitoring ports | All roles |
+| 9000, 9043 | Internal proxy use | Proxy |
+| 9244 | Internal proxy port | All roles |
+
 
 ## Hosts in multiple data centers [ece-multiple-data-centers]
 
 
@@ -0,0 +1,115 @@
+---
+applies_to:
+  deployment:
+    self:
+    ece:
+    eck:
+navigation_title: Configure Elastic agent with custom certificate
+products:
+  - id: cloud-kubernetes
+  - id: cloud-enterprise
+---
+
+# Configure AutoOps {{agent}} with a custom SSL certificate 
+
+{{agent}} might not recognize your SSL certificate if it is signed by a custom or internal Certificate Authority (CA). In this case, {{agent}} will fail to connect your self-managed cluster to AutoOps and you might encounter an error like the following:
+
+```sh
+... x509: certificate signed by unknown authority ...
+```
+
+This error occurs because the machine where you have installed {{agent}} does not trust your custom or internal CA. To fix this error, follow the steps on this page to configure the agent with your custom SSL certificate.
+
+## Add custom certificate path to the `elastic-agent.yml` file
+
+To configure {{agent}} with your custom SSL certificate, add the path to your certificate to the [`elastic-agent.yml`](/reference/fleet/configure-standalone-elastic-agents.md) policy file on the host machine where the agent is installed. 
+
+Complete the following steps:
+
+1. On the host machine, open the `elastic-agent.yml` file. The default location is `/opt/Elastic/Agent/elastic-agent.yml`.
+2. In the `elastic-agent.yml` file, locate the `receivers.metricbeatreceiver.metricbeat.modules` section. 
+3. In this section, there are two modules configured for `autoops_es`, one for metrics and one for templates. \
+  Add the `ss.certificate_authorities` setting to both these modules using one of the following options:
+
+    :::::{tab-set}
+    :group: add-cert-auth-setting-to-module
+
+    ::::{tab-item} Use environment variable (recommended)
+    :sync: env-variable
+
+    We recommend using this method because it's flexible and keeps sensitive paths out of your main configuration.
+
+    Add the following line to both `autoops_es` modules:
+
+    ```yaml
+    ssl.certificate_authorities:
+      - ${env:AUTOOPS_CA_CERT}
+    ```
+    After adding this line to both modules, make sure the` AUTOOPS_CA_CERT` environment variable is set on the host machine and contains the full path to your certificate file (for example: `/etc/ssl/certs/my_internal_ca.crt`).
+    ::::
+
+    ::::{tab-item} Hardcode file path
+    :sync: hardcode-file-path
+
+    Use this method to specify the path directly. This method is often simpler for fixed or test environments.
+
+    Edit the following line with the path to your CA and add it to both `autoops_es` modules:
+
+    ```yaml
+    ssl.certificate_authorities:
+      - "/path/to/your/ca.crt"
+    ```
+    The following codeblock shows what your final configuration should look like when you use the hardcode method.
+
+    ```yaml
+    receivers:
+      metricbeatreceiver:
+        metricbeat:
+          modules:
+            # Metrics
+            - module: autoops_es
+              hosts: ${env:AUTOOPS_ES_URL}
+              period: 10s
+              metricsets:
+                - cat_shards
+                - cluster_health
+                - cluster_settings
+                - license
+                - node_stats
+                - tasks_management
+              # --- ADD THIS LINE ---
+              ssl.certificate_authorities:
+                - "/path/to/your/ca.crt"
+
+            # Templates
+            - module: autoops_es
+              hosts: ${env:AUTOOPS_ES_URL}
+              period: 24h
+              metricsets:
+                - cat_template
+                - component_template
+                - index_template
+              # --- ADD THIS LINE ---
+              ssl.certificate_authorities:
+                - "/path/to/your/ca.crt"
+    ```
+
+    ::::
+
+    :::::
+
+4. Save your changes to the `elastic-agent.yml` file.
+5. Restart {{agent}} so that the new settings can take effect.\
+    In most systemd-based Linux environments, you can use the following command to restart the agent:
+    ```bash
+    sudo systemctl restart elastic-agent
+    ```
+6. Check the agent logs again to confirm that the error is gone and that {{agent}} has successfully connected your self-managed cluster to AutoOps. 
+
+    :::{note}
+    If you encounter the following error in the agent logs, there might be a formatting issue in the `elastic-agent.yml` file.
+    ```sh
+    ... can not convert 'object' into 'string' ... ssl.certificate_authorities ...
+    ```
+    To fix this error, ensure your configuration is correctly formatted. The `ss.certificate_authorities` setting must be a list item (indicated by the `-`) containing one or more strings (the respective path to your certification files).
+    :::
@@ -23,6 +23,7 @@ Use this guide to troubleshoot any issues you may encounter.
 * [My cluster was disconnected from {{ecloud}} and I want to reconnect it.](#disconnected-cluster)
 * [After running the installation command, I can't move on to the next steps.](#next-steps)
 * [My organization's firewall may be preventing {{agent}} from collecting and sending metrics.](#firewall)
+* [{{agent}} is failing to connect because it doesn't recognize my SSL certificate.](#custom-cert)
 
 $$$single-cloud-org$$$**I’m trying to create a Cloud organization, but I’m already part of a different one.**
 :   :::{include} /deploy-manage/monitor/_snippets/single-cloud-org.md
@@ -40,6 +41,9 @@ $$$next-steps$$$**After running the installation command, I can't move on to the
 $$$firewall$$$**My organization's firewall may be preventing {{agent}} from collecting and sending metrics.**
 :   If you're having issues with connecting your cluster to AutoOps and you suspect that a firewall may be the reason, refer to [](/deploy-manage/monitor/autoops/autoops-sm-troubleshoot-firewalls.md).
 
+$$$custom-cert$$$**{{agent}} is failing to connect because it doesn't recognize my SSL certificate.**
+:   If {{agent}} is failing to connect your self-managed cluster to AutoOps because it doesn't recognize your SSL certificate, refer to [](/deploy-manage/monitor/autoops/autoops-sm-custom-certification.md). 
+
 ## Potential errors
 
 The following table shows the errors you might encounter if something goes wrong while you set up and use AutoOps on your clusters.
@@ -58,3 +62,4 @@ The following table shows the errors you might encounter if something goes wrong
 | `VERSION_MISMATCH` | {{es}} version is unsupported | Upgrade your cluster to a [supported version](https://www.elastic.co/support/eol). |
 | `UNKNOWN_ERROR` | Installation failed | {{agent}} couldn't be installed due to an unknown issue. Consult the troubleshooting guide or contact [Elastic support](https://support.elastic.co/) for more help. |
 | | Failed to register Cloud Connected Mode: cluster license type is not supported | The cluster you are trying to connect doesn't have the required license to connect to AutoOps. For more information, refer to the [prerequisites](/deploy-manage/monitor/autoops/cc-connect-self-managed-to-autoops.md#prerequisites). |
+| `x509` | Certificate signed by unknown authority | {{agent}} couldn't connect. SSL certificate signed by unknown authority. |
@@ -689,6 +689,7 @@ toc:
             children: 
               - file: monitor/autoops/cc-connect-self-managed-to-autoops.md
               - file: monitor/autoops/cc-connect-local-dev-to-autoops.md
+              - file: monitor/autoops/autoops-sm-custom-certification.md
               - file: monitor/autoops/cc-manage-users.md
               - file: monitor/autoops/use-autoops-in-sm-cluster.md
               - file: monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md
 
@@ -97,7 +97,6 @@ subs:
   es-serverless:   "Elasticsearch Serverless"
   obs-serverless:   "Elastic Observability Serverless"
   sec-serverless:   "Elastic Security Serverless"
-  ess-leadin-short:   "Our hosted Elasticsearch Service is available on AWS, GCP, and Azure, and you can try it for free: https://cloud.elastic.co/registration."
   apm-app:   "APM app"
   uptime-app:   "Uptime app"
   synthetics-app:   "Synthetics app"
 
@@ -334,7 +334,7 @@ To manage and organize your tabs, you can:
   :::{tip}
   If you want to discard all open tabs, you can also start a {icon}`plus` **New session** from the toolbar. When you use this option, any unsaved changes to your current session are lost.
   :::
-- Reopen recently closed tabs: If you close a tab by mistake, you can retrieve it by selecting the {icon}`boxes_vertical` **Tabs bar menu** icon located at the end of the tab bar.
+- Reopen recently closed tabs: If you close a tab by mistake, you can retrieve it by selecting the {icon}`boxes_vertical` **Tabs menu** icon located at the end of the tab bar.
 
 To keep all of your tabs for later, you can [Save your Discover session](#save-discover-search). All currently open tabs are saved within the session and will be there when you open it again.
 
 
@@ -13,7 +13,7 @@ We offer a variety of ingest architectures to serve a wide range of use cases an
 To ingest data into {{es}}, use the *simplest option that meets your needs* and satisfies your use case. For many users and use cases, the simplest approach is ingesting data with {{agent}} and sending it to {{es}}. {{agent}} and [{{agent}} integrations](https://www.elastic.co/integrations/) are available for many popular platforms and services, and are a good place to start.
 
 ::::{tip}
-You can host {{es}} on your own hardware or send your data to {{es}} on {{ecloud}}. For most users, {{agent}} writing directly to {{es}} on {{ecloud}} provides the easiest and fastest time to value. {{ess-leadin-short}}
+You can host {{es}} on your own hardware or send your data to {{es}} on {{ecloud}}. For most users, {{agent}} writing directly to {{es}} on {{ecloud}} provides the easiest and fastest time to value. {{ech}} is available on {{aws}}, GCP, and Azure, and you can [try it for free](https://cloud.elastic.co/registration).
 ::::
 
 **Decision tree**
 
@@ -48,8 +48,8 @@ Refer to our [Ingestion](/manage-data/ingest.md) overview for some guidelines to
 | Integrations | Ingest data using a variety of Elastic integrations. | [Elastic Integrations](integration-docs://reference/index.md) |
 | File upload | Upload data from a file and inspect it before importing it into {{es}}. | [Upload data files](/manage-data/ingest/upload-data-files.md) |
 | APIs  | Ingest data through code by using the APIs of one of the language clients or the {{es}} HTTP APIs. | [Document APIs](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-document) |
-| OpenTelemetry | Collect and send your telemetry data to Elastic Observability | [Elastic Distributions of OpenTelemetry](opentelemetry://reference/index.md). |
-| Fleet and Elastic Agent | Add monitoring for logs, metrics, and other types of data to a host using Elastic Agent, and centrally manage it using Fleet. | [Fleet and {{agent}} overview](/reference/fleet/index.md) <br> [{{fleet}} and {{agent}} restrictions (Serverless)](/reference/fleet/fleet-agent-serverless-restrictions.md) <br> [{{beats}} and {{agent}} capabilities](/reference/fleet/beats-agent-comparison.md)||
+| OpenTelemetry | Collect and send your telemetry data to Elastic Observability | [Elastic Distributions of OpenTelemetry](opentelemetry://reference/index.md) |
+| Fleet and Elastic Agent | Add monitoring for logs, metrics, and other types of data to a host using Elastic Agent, and centrally manage it using Fleet. | [Fleet and {{agent}} overview](/reference/fleet/index.md) <br> [{{fleet}} and {{agent}} restrictions (Serverless)](/reference/fleet/fleet-agent-serverless-restrictions.md) <br> [{{beats}} and {{agent}} capabilities](/reference/fleet/beats-agent-comparison.md)|
 | {{elastic-defend}} | {{elastic-defend}} provides organizations with prevention, detection, and response capabilities with deep visibility for EPP, EDR, SIEM, and Security Analytics use cases across Windows, macOS, and Linux operating systems running on both traditional endpoints and public cloud environments. | [Configure endpoint protection with {{elastic-defend}}](/solutions/security/configure-elastic-defend.md) |
 | {{ls}} | Dynamically unify data from a wide variety of data sources and normalize it into destinations of your choice with {{ls}}. | [Logstash](logstash://reference/index.md) |
 | {{beats}} | Use {{beats}} data shippers to send operational data to Elasticsearch directly or through Logstash. | [{{beats}}](beats://reference/index.md) |
 
@@ -1,6 +1,8 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/fleet/current/agent-provider.html
+applies_to:
+  stack: ga
 products:
   - id: fleet
   - id: elastic-agent
 
@@ -1,12 +1,14 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/fleet/current/docker-provider.html
+applies_to:
+  stack: ga
 products:
   - id: fleet
   - id: elastic-agent
 ---
 
-# Docker Provider [docker-provider]
+# Docker provider [docker-provider]
 
 Provides inventory information from Docker. The available dynamic variables are: