Docker Community Forums

Share and learn in the Docker community.

DTR Failure - x509

(Shaunglass) #1

Good Day,

A little brief on setup …

server-lb : nginx (managing 443:444) (seperate vm all together)

Only names that use server-lb with hit the nginx server …

Genereated certs for nginx on said server

openssl genrsa -out server-lb.key 4096
openssl req -new -key server-lb.key -out server-lb.csr
openssl x509 -req -days 365 -in server-lb.csr -signkey server-lb.key -out server-lb.crt


server-node1 : ucp (port 444)

server-node2 : ucp (port 444)

server-node3 : ucp (port 444)

Try install dtr as follows :

curl -k https://server-node1:444/ca > ucp-ca.pem

_docker run -it --rm docker/dtr install --dtr-external-url https://server-lb:443 --ucp-node server-node1 --ucp-url https://server-node1:444 --ucp-username admin --ucp-ca “$(cat ucp-ca.pem)”

Fails :

WARN[0179] Couldn’t confirm authentication works, but still completing installation: Failed to wait for dtr to come back up: Polling failed with 30 attempts 5s apart: error making request to openid/begin Get https://server-lb/api/v0/openid/begin: x509: certificate signed by unknown authority

Obviously a certificate thing … no signed certs as poc. I have been doing the curl / update-ca-trust thing with all possible variations.


ucp installed on node1 then when adding node2 & node3 they were added as managers


I have tried the following since nginx is external to system :

openssl s_client -connect server-lb:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | tee /etc/pki/ca-trust/source/anchors/server-lb.crt

… on the node I am trying installation on.

(Patrick Devine) #2

@shaunglass as mentioned in the other forum post, you don’t need to (and shouldn’t) terminate TLS on your load balancer. You can create the TLS certs for UCP and DTR and add them both and then pass 80/443/444 to the respective services.