Docker Community Forums

Share and learn in the Docker community.

X509: cannot validate certificate for

dtr
ucp

(Fsejoseph) #1

I created UCP and DTR. Everything worked. I put my own certs into the UCP, and then when I tried to sign into DTR it gave me this error:

http client error: Post https://111.111.111.11/enzi/v0/id/token: x509: cannot validate certificate for 111.111.111.11 because it doesn’t contain any IP SANs

I remade my certs and made sure it contained the IP addresses. How do I fix this problem without re-configuring the DTR because the system will not let me. Is there any way to fix it in command line, or change content of a file?


(Metin Y.) #2

When we update certificates we always do it from the commandline.

Though, i can’t find the proper command for ucp.
The DTR certifcates can be fixed with:

docker run -it --rm docker/dtr:{yourversion} reconfigure \
  --dtr-ca "${cat root-ca.crt}" \
  --dtr-cert "${cat drt.crt}" \
  --ucp-url "https://fqdn.of.your.ucp" \
  --dtr-external-url "https://fqdn.of.your.dtr" \
  --ucp-username "any ucp admin user accountname" \
  --ucp-password "the admin user accounts password" \
  --dtr-key "${cat dtr.key}"

Of course you have to replace each and every value with your own configuration.

Are the certificates issued to CN = external fqdn and SANS = fqdn of each node in the cluster?


(Fsejoseph) #3

This is what worked. Be sure you are in the folder with all the keys, certs, and pems.

First I:

docker swarm leave
docker rm $(docker ps -aq) -f
docker volume prune
rejoin the swarm
sudo sh -c ‘curl -k https://ucp.com/ca > ca.pem’

Then:

docker run -it --rm docker/dtr:2.6.1 install \
  --ucp-node node_l \
  --ucp-url https://ucp.com \
  --ucp-username admin \
  --ucp-password adminadmin \
  --dtr-external-url https://dtr.com \
  --ucp-ca "$(cat ca.pem)" \
  --dtr-key "$(cat dtr.key)" \
  --dtr-cert "$(cat dtr.crt)" \
  --dtr-ca "$(cat ca.pem)" \
  --http-proxy http://proxy/ \
  --https-proxy http://proxy/ \
  --no-proxy *.local, All IP Address of all nodes, \
  --replica-http-port 81 \
  --replica-https-port 4443