Docker Community Forums

Share and learn in the Docker community.

DTR Installation Error: certificate signed by unknown authority

(Lfatty) #1

Hello there,

I have UCP up and running and it is using the default cert. However, when i tried to install DTR following the documentation on, I got an error: failed to get UCP CA: certificate signed by unknown authority

Any idea?

(Matt Bentley) #2

The error is likely because the certificate in ucp-ca.pem is empty. Could you verify what the contents of that file are? I’m guessing the curl command failed.

(Lhar99) #3

I am having the same problem and the certificate is NOT empty.

I do not have any signed certificates so I have installed the UCP with the default. The install completes and I am able to login.

When I run the install for DTR I get the same error message.

Can you run DTR with the default UCP install and not use signed certs? If so, can you provide more details? Thanks.

(Matt Bentley) #4

Yes, you can set up UCP and DTR with the self-signed certificates; that should work just fine. Would you be able to provide the exact command you used for your installation of DTR (minus any passwords)?

(Lhar99) #5

Thank you for confirming. I am now getting this error:

[root@new-host-10 ~]# docker run -it --rm docker/dtr install --ucp-url --ucp-node new-host-10.home --dtr-external-url --ucp-username admin --ucp-password maple --ucp-ca "$(cat ucp-ca.pem)"
INFO[0000] Beginning Docker Trusted Registry installation
INFO[0000] Validating UCP cert
INFO[0000] UCP cert validation successful
**ERRO[0000] Make sure that there is a node in your UCP cluster where port 80 and port 443 are open. Also confirm that all UCP node have the DTR images or can obtain them from Docker Hub. **
FATA[0000] Problem running container ‘dtr-phase2’ from image ‘docker/dtr:2.0.2’: Couldn’t create container ‘dtr-phase2’ from image ‘docker/dtr:2.0.2’: Error response from daemon: Unable to find a node that satisfies the following conditions
[available container slots]
[node==new-host-10.home node!=new-host-10.home]

(Matt Bentley) #6

OK, it looks like you’re trying to install DTR on the same node as UCP. Since UCP, by default, installs to port 443, that means that DTR, which needs 80 and 443 to be available, can’t be installed. Typically what needs to occur is that UCP should be installed with the --controller-port option to change the port from 443 to something else (8443, 4443, anything that isn’t 80 or 443, really) and then DTR could be installed on the same node. Unfortunately, that does require a reinstall of UCP to change that as it stands now.

(Abhishekgaurav) #7

I have the exact same issue but different error.

FATA[0003] Failed to get UCP CA: Get x509: certificate signed by unknown authority

After Validating UCP cert i am getting this error. Any resolution??

(Lhar99) #8

Hi Matt –

I have moved UCP to a different port and I am having the same error.

Any help would be appreciated.

(Matt Bentley) #9

OK, make sure that your node name is what UCP sees in the UI. I see you’re using new-host-10.home for the node name so make sure on the Nodes page in UCP that is actually the name that it is seen as in the cluster. For example, my DTR is installed on mbentley-dtr:

(Matt Bentley) #10

Could you try the install but with the --debug command and provide the full output (cleaned of any credentials, etc)? I am curious if there is more info from the debug logs.

(Lhar99) #11

I think I now have a good install by still having challenges. Not anywhere as easy as the docs say
now I am trying:

docker pull

and getting

Error response from daemon: Get x509: certificate signed by unknown authority

Can I turn all security and certificates off and get this to work?

(Matt Bentley) #12

It is not possible to set DTR to not use SSL because of the security risk. Instead, you should trust the DTR self signed certificate:

See the section “Install registry certificates on client Docker daemons”. Also, that repository you listed can’t exist. An image in DTR must have a hostname, namespace, repository and tag (tag defaulting to latest of omitted). Example:

You must create the repo before you can push an image to DTR.

(Jaydipta) #13

I have exactly the same error…
30 times…
NFO[0155] Waiting for DTR to start…
INFO[0160] Waiting for DTR to start…
WARN[0170] Couldn’t confirm authentication works, but still completing installation: Failed to wait for dtr to come back up: Polling failed with 30 attempts 5s apart: Failed to connect to DTR: Get https://aaa.bbb.ccc.97: x509: certificate signed by unknown authority
Lastly I can see one DTR application is up in ucp-web but cannot access DTR. Started DTR in 1443 using “–replica-https-port 1443”. Both DTR and UCP in same HOST.

(Jaydipta) #14

Able to login to DTR web UI, using “ip:port” for dtr-external-url now.
But a new issue arised, when I try to “docker login my-host-name” ,
it expects ID and Pwd. Once I give it correctly it throws
an error :- “Error response from daemon: Get https://my-host-name/v1/users/: Service Unavailable”

I see it tries to connect a v1 registry, I am confused.

(Sérgio Pelissari) #15

Hi, i’ve got this issue while installing the DTR you have to follow this step… create on all nodes a directory /etc/docker/certs.d/[ucp-hostname]/ and copy the ca.pem as ca.crt, the docks are really confusing…

(Jaydipta) #16

Thanks Sérgio. I did it, but still no luck.
Even I have followed to integrate DTR (I dont know whether it is required at all by default). Till now getting same issue.

Also please mention from where I need to copy ca.pem and paste it to your mentioned folder.

(Sérgio Pelissari) #17

Hi, do you still having problem with certs?