Docker Community Forums

Share and learn in the Docker community.

Cannot login to Registry/DTR after updating TLS certificate

docker
dtr
ucp

(Alemuro) #1

Expected behavior

We have changed our UCP/DTR certificate in order to connect our CLI to our cluster using TLS.

Actual behavior

We can’t login to Registry/DTR after changing UCP/DTR certificate. We’ve changed from the default one to a new one created with Let’s Encrypt. This has been created on a Linux machine using Certbot. After that, we’ve copied those certificates and we’ve uploaded them to UCP.

I can access to registry login page, but I can’t login. I get this error:
{
errors: [
{
code: “OPENID_ERROR”,
message: “Failed to establish openid authentication”,
detail: “OpenID Connect Error unable to get token see server logs for details”
}
]
}

Steps to reproduce the behavior

  1. Issue a new Let’s Encrypt certificate using Certbot.
  2. Configure it through “UCP --> Admin Settings --> Certificates”.
  3. After that, I’ve checked that UCP has updated their certificated successfully, but I can’t login to registry.

(Elioengcomp) #2

I’m having the same issue.

I cannot login to DTR after updating UCP certificates.

Any idea on how to fix this?

Best.
Elio


(Alemuro) #3

Hi Elio,

After updating your UCP certificates, you need to reconfigure DTR service. Take a look on this:

Regards,
Aleix


(Elioengcomp) #4

Hi Aleix,

I’ve just figured out that I need to change the UCP url on the DTR containers.

I did it with the following command and now it is working again:

docker run -it --rm docker/dtr:2.4.1 reconfigure --ucp-url https://<MY_UCP_URL>

Thank you for your reply.

Best.
Elio


(Nvisiantc) #5

You might want to include the new DTR certificate too when reconfiguring… After you have your DTR certificate files (ca/crt/key) in your local directory, run something like this:
docker run -it --rm docker/dtr reconfigure --dtr-ca "$(cat dtr.test.mydomain.io.ca-bundle)" --dtr-cert "$(cat dtr.test.mydomain.io.crt)" --dtr-external-url https://dtr.test.mydomain.io --dtr-key "$(cat dtr-test-mydomain-io.key)" --ucp-insecure-tls