Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker Swarm: Error response from daemon: error while validating Root CA Certificate: x509: certificate has expired or is not yet valid

OS: CentOS 7 VM

Docker latest version

Commands Executed:

   1) docker swarm init
   2) docker swarm join --token SWMTKN-1-3iqtmbz55yvhxkahe2ncs7d9ebxzlzmw1pwhqzvmcemiolef63-3muc4qjs3mbvh53t8ktzzmb22 192.168.10.108:2377 
    Error: Error response from daemon: error while validating Root CA Certificate: x509: certificate has expired or is not yet valid

As you can see, swarm join is giving me this error. What is the reason for this error and where is it coming from?

Regards Aditya

like image 342
CK5 Avatar asked Dec 10 '22 10:12

CK5


1 Answers

Had similar issue because swarm init generated ca certificate with start date in future. Possibly due to ntp lag.

CA cert info may be acquired using following command:

docker swarm ca | openssl x509 -noout -text

The output will look something like this:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        ...
Signature Algorithm: ecdsa-with-SHA256
    Issuer: CN=swarm-ca
    Validity
        Not Before: Oct 24 20:25:00 2018 GMT
        Not After : Oct 19 20:25:00 2038 GMT
    Subject: CN=swarm-ca
    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
            Public-Key: (256 bit)
            pub:
                ...
                ...
                ...
                ...
            ASN1 OID: prime256v1
            NIST CURVE: P-256
    X509v3 extensions:
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Subject Key Identifier:
            ...
Signature Algorithm: ecdsa-with-SHA256
     ...
     ...
     ...
     ...

You can see the range of validity is between Oct 24 20:25:00 2018 GMT and Oct 19 20:25:00 2038 GMT. If the machine trying to join the swarm doesn't have its clock in that interval, it will fail with that error.

like image 77
Hennadii Mashentsev Avatar answered Dec 31 '22 11:12

Hennadii Mashentsev