Skip to main content

Docker Success Center

The Docker enterprise customer portal.

Docker, Inc.

When using 3rd Party CA's, get the following error from DTR (failed to establish openid authentication):

Utilizing 3rd parth CA's receive error from DTR

"Failed to establish openid authentication",  "detail": "OpenID Connect Error\n\ninvalid_client\n\nunable to validate authentication JWT: unable to get service signing key: unable to fetch service keys from HTTP error: Get dial tcp i/o timeout" 

Before performing these steps, you must meet the following requirements:

  • Verify there are no networking issues blocking communication between UCP and DTR.


Introduction Sentence or Paragraph (required):This unable to validate authentication of JWT error is typically an issue caused where DTR re-registers itself with enzi. This can fail for different reasons, and can be fixed using the reconfigure command.

  1. <dtr-version>  version of dtr running on the cluster docker/dtr:2.2.0, docker/dtr:2.2.4
  2. <ucp-url> If running behind a load balancer, the ucp-url should point reference configured in the LB (i.e. the CNAME of ELB in AWS)
  3. docker run -it --rm docker/dtr:<dtr-version>reconfigure --ucp-url <ucp-url> --ucp-username <ucp-username> --ucp-password <ucp-password>

What's Next