Cannot login to Registry/DTR after updating TLS certificate

Expected behavior

We have changed our UCP/DTR certificate in order to connect our CLI to our cluster using TLS.

Actual behavior

We can’t login to Registry/DTR after changing UCP/DTR certificate. We’ve changed from the default one to a new one created with Let’s Encrypt. This has been created on a Linux machine using Certbot. After that, we’ve copied those certificates and we’ve uploaded them to UCP.

I can access to registry login page, but I can’t login. I get this error:
{
errors: [
{
code: “OPENID_ERROR”,
message: “Failed to establish openid authentication”,
detail: “OpenID Connect Error unable to get token see server logs for details”
}
]
}

Steps to reproduce the behavior

  1. Issue a new Let’s Encrypt certificate using Certbot.
  2. Configure it through “UCP --> Admin Settings --> Certificates”.
  3. After that, I’ve checked that UCP has updated their certificated successfully, but I can’t login to registry.

I’m having the same issue.

I cannot login to DTR after updating UCP certificates.

Any idea on how to fix this?

Best.
Elio

Hi Elio,

After updating your UCP certificates, you need to reconfigure DTR service. Take a look on this:

Regards,
Aleix

Hi Aleix,

I’ve just figured out that I need to change the UCP url on the DTR containers.

I did it with the following command and now it is working again:

docker run -it --rm docker/dtr:2.4.1 reconfigure --ucp-url https://<MY_UCP_URL>

Thank you for your reply.

Best.
Elio

You might want to include the new DTR certificate too when reconfiguring… After you have your DTR certificate files (ca/crt/key) in your local directory, run something like this:
docker run -it --rm docker/dtr reconfigure --dtr-ca "$(cat dtr.test.mydomain.io.ca-bundle)" --dtr-cert "$(cat dtr.test.mydomain.io.crt)" --dtr-external-url https://dtr.test.mydomain.io --dtr-key "$(cat dtr-test-mydomain-io.key)" --ucp-insecure-tls