Docker Community Forums

Share and learn in the Docker community.

DTR - Failed to get UCP CA


(5003152) #1

i have installed 3 servers -
3.Docker Engine CS

Server Version: 1.11.2-cs4

i installed UCP and added the engine to ucp - and all went fine
my only issue is with DTR- Trusted registry

i did :

  1. curl -k -v “” --cert /root/ucp-ca.pem (it has created the key with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)

2.docker run -it --rm docker/dtr install --ucp-url -ucp-node ucp -dtr-external-url --ucp-username admin --ucp-password $PASSWORD --ucp-ca “$(cat ucp-ca.pem)” --debug

and i get :
FATA[0030] Failed to get UCP CA: Get dial tcp: i/o timeout

if i try curl to the site :
curl -k -v “” --cert /root/ucp-ca.pem
i get this error :
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

if i go by the web to it is downloading the pem key as i have it on the site.
all firewalls are disable in all the machines

what is the issue ?

(Peter Lind) #2

The install manual specifies this command to get the CA cert:
$ curl -k https://$UCP_HOST/ca > ucp-ca.pem

I’ve also experienced problems with certs if the time/date on the different nodes haven’t been the same.

(5003152) #3

the command curl -k -v “” --cert /root/ucp-ca.pem
was only to check the curl and why it gets time out, of course i followed the manual and my original command was :

curl -k > ucp-ca.pem

and time and date on all nods are the same, UTC.

more ideas ?

(5003152) #4

OK, so i have the solution :slight_smile:

  1. remove all containers (docker ps , docker ps -a)
  2. disable firewalld (systemctl stop firewalld, systemctl disable firewalld)
  3. restart docker for all the iptable rules to reload (systemctl restart docker)
    4.add DTR node to docker UCP (Go to UCP site -> Nodes -> add node -> mark with V the "I use docker machine"
    and copy the below code to the DTR machine.)
  4. run the DTR installtion command
    $ docker run -it --rm
    docker/dtr install
    –ucp-url $UCP_URL
    –ucp-node $NODE_HOSTNAME
    –dtr-external-url $DTR_PUBLIC_IP
    –ucp-username $USER --ucp-password $PASSWORD
    –ucp-ca “$(cat ucp-ca.pem)”