Docker Community Forums

Share and learn in the Docker community.

Failed to load SSL certificate: tags don't match error when adding signed cert to DTR

docker

(Miwalker) #1

Hi,

Trying to install my signed certificate in our DTR instance. I added my signed cert and intermediate cert in that order in the top box, and private key in the bottom box on the Security tab. When I try to Save I get the error “There was an error saving your SSL certificate. Please verify the uploaded files”. Not seeing any errors in the logs.

I also tried the manual way and concatenated the 3 certs together into “cat cert.pem caintermediatecert.pem server.key > server.pem” and replaced existing server.pem. Updated the permissions on file and restarted DTR and get the error below. Not finding much in Google to help resolve the issue. I also verified the Cert and private key match.

Any idea what it could be or what to try? thanks,

FATAL [1.4.3] Failed to load SSL certificate: map[error:asn1: structure error: tags don’t match (16 vs {class:0 tag:6 length:9 isCompound:false}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2] error=“asn1: structure error: tags don’t match (16 vs {class:0 tag:6 length:9 isCompound:false}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2


(Kevin Finley) #2

Did you enter them like this?

-----BEGIN CERTIFICATE-----
Maa92tydhoetd … My certificate …
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Mab3onNNdofd … Intermediate certificate …
-----END CERTIFICATE-----


(Frank) #3

I have a similar issue. Not getting that FATAL error but “There was an error saving your SSL certificate. Please verify the uploaded files”.

And yes my certs start off as:
SSL Cert box
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

SSL Private Key
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

In the logs: Invalid cert/key pair error="crypto/tls: failed to parse key PEM data"
So guessing it does not like my cert/key for some reason.

I generated my own CA root (using Openssl) and creates CSR and signed it with the CA. Are there certain parameters DTR needs or key usage that I need to set?
$ generated CSR with: openssl req -nodes -sha256 -newkey rsa:2048 -keyout private/dtr.key -out csr/dtr.csr
$ openssl ca -in csr/dtr.csr -out newcerts/dtr.pem -keyfile private/ca-cert.key -cert certs/ca-cert.crt

I noticed something weird also that when I click “save and restart” button the contents of the SSL cert window change! Still PEM format but some of the characters change.

Before:
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAk1EMQwwCgYDVQQHDANBUEcxDTALBgNVBAoMBENTSUExCzAJBgNV
BAsMAklTMSEwHwYDVQQDDBhkdHIuY2VyZGVjLnN0Y2QuY3NpYS5taWwxITAfBgkq
hkiG9w0BCQEWEm1hY2VkZW1vQGdtYWlsLmNvbTAeFw0xNjA0MDgxNzIxNTRaFw0x
NzA0MDgxNzIxNTRaMHwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDENMAsGA1UE
CgwEQ1NJQTELMAkGA1UECwwCSVMxITAfBgNVBAMMGGR0ci5jZXJkZWMuc3RjZC5j
c2lhLm1pbDEhMB8GCSqGSIb3DQEJARYSbWFjZWRlbW9AZ21haWwuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSGROx6JC0Zf/K7gOXTVk6oVBlgz
1V4KbB52w+XIEwMxZQxaEzkI+zeE5URcKztfNlyzqfpJ1EDg3I25RbLLi6im63ix
+9Phb0cCeG640zAc6tpsTtiZc5CE/Nb/RsqNCcyl45qv6VmRRoPKjFtXKJHw6MsF
aHfRFRRTpXBDWO8WpuI40Ur8EJM15I9aqVa2WPe7PMHILOqiZcOvCMceEsP9v9Q4
DtmwAMAsSpT3Rrp7vZnY2NjoW8bMIq912rss2LUo9aCm9P6MTK/dfs//J15GLnOa
9I44NwHBRb/WZf+T22JPChxvYGt/r6mshQfBpTDyN7MBSXW1ozPSlcgGWwIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpyKSurQLWqC148pHxvCJ7zF+bl0wHwYD
VR0jBBgwFoAUw3BsqhL7/ERRlRswU+wxAWkF9cUwDQYJKoZIhvcNAQELBQADggEB
AE4K983m2s8m4RfnqWdjq7nfHPLRM7pRvR0eho+LMlGz4ZKQoWHYA7inU7xyeV8f
dDQRcdrLQdTk7h6KMjzUzSrzW1ewpLEsT0pNfJ6wTeB8GPlHxg7mw2WNGaJ9pRGn
KX9h4hs7avApo8wR6BOGnu1eaEFc4vioX9TLqtD1Ay7uwRLPLxmKk+hKjk11fQ4x
ax0sXEU6UuuRLF7sfLhxF/frucnwZTgIkLrGDxc7ZEWTj3eVmfD/UJwe7ERFoOkc
Kr4mhj+bVRAu7f5kXQy08BS8ZBPXJWG9JmXK1HPw09t4GWF4uUVOcZfLh2qcmsc7
2THy8X120Uap740XJnq88cg=
-----END CERTIFICATE-----

After:
-----BEGIN CERTIFICATE-----
MIIFujCCA6KgAwIBAgIRANl59vy67cpLuNNR9MU9h2MwDQYJKoZIhvcNAQELBQAw
ZjELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UECxMGRG9ja2Vy
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR0wGwYDVQQDExRjZXJkZWMuc3RjZC5j
c2lhLm1pbDAeFw0xNjA0MDgxNjAwNDlaFw0xNzA0MDgxNjAwNDlaMGYxCzAJBgNV
BAYTAlVTMQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAsTBkRvY2tlcjEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzEdMBsGA1UEAxMUY2VyZGVjLnN0Y2QuY3NpYS5taWww
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCeXgn7eoWTcVavKQEyeGpJ
L+j1mDxMnInnWHtPW5YvOAZWgF8/0nWZOQizoHTdYqd1BhLwRDyWAaZsNwcdXk4+
YSiHQGdHS8Xq4tvND/6ZgjegBSDLsLEAkJka2bnvNKLsK5vVSYB6l+Hw/hCSnUCc
vTYMOjhnh11uNaun200CE8fa5lHik25RakIXnIheiyXmcGofrG2JRk0ZtlIGQSew
/z+Ap0a/v5+4AS1Wrq9dd+OaIisY3BXzVIWHtXyEg9bF1EUC8D45z6QbnD4yC3Iz
peZiPucEhqgJSsUOvud2t3Bmt0AXNuPWmiJszaqqrcK+W5hpETdNUw4e2v7uxrWm
FjlzYWZrOWVPeKJ4TkECKG3GLfteD2pBzltzaiO6UB3rjix+tKk5+3XXoXtDEBDR
xNI2i9GHjlf6k7VK11H5dnFDEExZGXO6t9R1UJX8P9MCh9DdqaR7WUw8hudm8PMv
IO8Jh8mIcRebMPbQG88PCuye0PfFQ+z5J8atjO5ul6VPeNRBu4jM077nhClhQyE+
jHZ3bMfEcsaXW+z3vcLk79bXxmcSlX3OtlvdJ53e9vi/aeGE5ToKa00+Pdwzd4e1
rhua8RYPO7Ov3BYOGKNxwrivubyENjEAVDmrclCrFEMidf444LnIqMdJpxae7Age
bDhHiR2KAnAiyyD3itTb8QIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0T
AQH/BAUwAwEB/zAdBgNVHQ4EFgQUwj4Z1uvNgg6c7g+pv3TfSyPUOXswHwYDVR0j
BBgwFoAUwj4Z1uvNgg6c7g+pv3TfSyPUOXswDQYJKoZIhvcNAQELBQADggIBABPg
L+2Np2XHds0E6ljWVyomwCei+RBUilrhAz4r71Et6eOod53FFe8WWtW+2HObgV2f
DtyJ3mWq9haUmo/r9ieV+3knSj/0+c3a+j5IS0id/esAMR6L6GoZcAHLGzUV4cK+
rwlraieNhPZMzHQzq7u/c4vNp4plLClw9xHlLXYvMokvliuax0dQupaMlwkmOiFs
vq8RTrNbW1QP6pKcs4uQZyCb3+60H3TC4ti47IfAp89FvHRC7Bdnv8eXR4zRA9gw
3aP7fuyQXe8rB6pauimShQZW5ths/dze4J6qtS5tLpMs7DAGMr6IUD1EQ8MW/GlY
BD6b8tAt5ptq1czdQ9MOkR5E7A8lE+0/NOK6jdmFy0PPgTrvVxFOFkfn+3i227Yx
re7YlsLe8O4sBySKsmMc4Jx8pzZQyQFdaxYCsZzohLJT3b1zZVIJl2RkHBKPLN5+
lZ/bDe9uCt+O9Nf2tUaFZIYZ4Oe7miudyTjRAzikM7YT/m24w4t5pO1UB9B4ez3v
h1QwsZQ5hhZj1GheKGwADb07Cq6dJqLYHMCYjYSOIBIkbJazLSkDnqECKGP0R1wb
tnYiTJqwAN4Ch6FKbewmWZcgqKl6BMcdm4tp3E5ANWEu8iPGISUsPLldvwezv1UX
KV9VgoxJzY3InTHAW0GyKHpp4Yw+8Hu1nlTWlUp7
-----END CERTIFICATE-----


(Frank) #4

Ok I want to use a couple 4 letter words here, but will refrain. Being frustrated Friday with this I left it. I came in this morning and did the same GD thing and copied the pem format of cert and key and it worked.Or at least said " SSL certificate saved"

From the log: text=INFO [1.4.3] Updating SSL certificate

How stable is DTR? Is this something ready for mission critical production environment? Honestly I did absolutely nothing. Did not even restart the container.

Break…
I just went back into the security tab and I do not see the PEM of the SSL Certificate or Private key. Should I or is it hidden once saved?