Docker Community Forums

Share and learn in the Docker community.

Unable to load server cert and key: tls: private key does not match public key

ucp

(Clawondeck) #1

Hi,

This is the output from docker info:

root@ucp04:~# docker info
Containers: 12
Running: 10
Paused: 0
Stopped: 2
Images: 13
Server Version: 1.13.1-cs3
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 91
Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: active
NodeID: kqhwn0u691jk34k5uy7bzm31u
Is Manager: true
ClusterID: pmpgjh8s6qplu5wemhw6gszrk
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 3
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
External CAs:
cfssl: "https://10.180.8.125:12381/api/v1/cfssl/sign"
Node Address: 10.180.8.125
Manager Addresses:
10.180.8.125:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 4ab9917febca54791c5f071a9d1f404867857fcc
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: 949e6fa
Security Options:
apparmor
Kernel Version: 3.13.0-74-generic
Operating System: Ubuntu 14.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.797 GiB
Name: ucp04
ID: Z52M:HLDJ:BEJB:SA7D:INTN:GTWX:VBC6:W57K:7GAM:AJHT:ZS5Q:ETTA
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

We are trying to follow the steps in https://docs.docker.com/datacenter/ucp/1.1/configuration/use-externally-signed-certs/#replace-existing-certificates to replace self signed certificates with custom certificates. However, on the UI, it is still shown as not secure.

Please help. :slight_smile:

Thanks.


(Wsloand) #2

When you created your self-signed certificate, did you use the corect common name:

Be sure to use the name myregistrydomain.com as a CN. (from https://docs.docker.com/registry/insecure/#use-self-signed-certificates)


(Tperelle) #3

In your CSR you have to put the SAN for every manager nodes and of the VIP which load-balanced on them, including the DNS even if it is declared as CN.

If you have the error “private key do not match public key” it’s because the key.pem doesn’t correspond to the public key of your cert.pem. Perhaps you confound the private key generated/used with your CSR and the private key of the CA used for generating the signed certificates. UCP needs the first one.