Skip to main content

Docker Success Center

The Docker enterprise customer portal.

Docker, Inc.

When using 3rd Party CA's, get the following error from DTR (failed to establish openid authentication):

Utilizing 3rd parth CA's receive error from DTR

"Failed to establish openid authentication",  "detail": "OpenID Connect Error\n\ninvalid_client\n\nunable to validate authentication JWT: unable to get service signing key: unable to fetch service keys from https://dtr.example.com/api/v0/openid/keys: HTTP error: Get https://dtr.example.com/api/v0/openid/keys: dial tcp xx.xx.xx.xxx:443: i/o timeout" 

Before performing these steps, you must meet the following requirements:

  • Verify there are no networking issues blocking communication between UCP and DTR.

Steps

Introduction Sentence or Paragraph (required):This unable to validate authentication of JWT error is typically an issue caused where DTR re-registers itself with enzi. This can fail for different reasons, and can be fixed using the reconfigure command.

  1. <dtr-version>  version of dtr running on the cluster docker/dtr:2.2.0, docker/dtr:2.2.4
  2. <ucp-url> If running behind a load balancer, the ucp-url should point reference configured in the LB (i.e. the CNAME of ELB in AWS)
  3. docker run -it --rm docker/dtr:<dtr-version>reconfigure --ucp-url <ucp-url> --ucp-username <ucp-username> --ucp-password <ucp-password>

What's Next