Skip to main content

Docker Success Center

The Docker enterprise customer portal.

Docker, Inc.

When using 3rd Party CA's, get the following error from DTR (failed to establish openid authentication):

Issue

When utilizing 3rd party CAs, the following error is received from DTR:

"Failed to establish openid authentication",  "detail": "OpenID Connect Error\n\ninvalid_client\n\nunable to validate authentication JWT: unable to get service signing key: unable to fetch service keys from https://dtr.example.com/api/v0/openid/keys: HTTP error: Get https://dtr.example.com/api/v0/openid/keys: dial tcp xx.xx.xx.xxx:443: i/o timeout" 

Prerequisites

Before performing these steps, you must meet the following requirements:

  • Verify there are no networking issues blocking communication between UCP and DTR.

Solution

This "unable to validate authentication of JWT" error is typically an issue caused by DTR re-registering itself with enzi. This can fail for different reasons and can be fixed using the reconfigure command:

docker run -it --rm docker/dtr:<dtr-version> reconfigure --ucp-url <ucp-url> --ucp-username <ucp-username> --ucp-password <ucp-password>
  1. Replace <dtr-version> with the version of DTR running on the cluster.
  2. If running behind a load balancer, the <ucp-url> should point to the load balancer such as the CNAME of ELB in AWS.
  • Was this article helpful?