When utilizing 3rd party CAs, the following error is received from DTR:
"Failed to establish openid authentication", "detail": "OpenID Connect Error\n\ninvalid_client\n\nunable to validate authentication JWT: unable to get service signing key: unable to fetch service keys from https://dtr.example.com/api/v0/openid/keys: HTTP error: Get https://dtr.example.com/api/v0/openid/keys: dial tcp xx.xx.xx.xxx:443: i/o timeout"
Before performing these steps, you must meet the following requirements:
- Verify there are no networking issues blocking communication between UCP and DTR.
This "unable to validate authentication of JWT" error is typically an issue caused by DTR re-registering itself with enzi. This can fail for different reasons and can be fixed using the reconfigure command:
docker run -it --rm docker/dtr:<dtr-version> reconfigure --ucp-url <ucp-url> --ucp-username <ucp-username> --ucp-password <ucp-password>
- Replace <dtr-version> with the version of DTR running on the cluster.
- If running behind a load balancer, the <ucp-url> should point to the load balancer such as the CNAME of ELB in AWS.