4

OS: CentOS 7 VM

Docker latest version

Commands Executed:

   1) docker swarm init
   2) docker swarm join --token SWMTKN-1-3iqtmbz55yvhxkahe2ncs7d9ebxzlzmw1pwhqzvmcemiolef63-3muc4qjs3mbvh53t8ktzzmb22 192.168.10.108:2377 
    Error: Error response from daemon: error while validating Root CA Certificate: x509: certificate has expired or is not yet valid

As you can see, swarm join is giving me this error. What is the reason for this error and where is it coming from?

Regards Aditya

CK5
  • 1,055
  • 3
  • 16
  • 29

6 Answers6

11

Had similar issue because swarm init generated ca certificate with start date in future. Possibly due to ntp lag.

CA cert info may be acquired using following command:

docker swarm ca | openssl x509 -noout -text

The output will look something like this:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        ...
Signature Algorithm: ecdsa-with-SHA256
    Issuer: CN=swarm-ca
    Validity
        Not Before: Oct 24 20:25:00 2018 GMT
        Not After : Oct 19 20:25:00 2038 GMT
    Subject: CN=swarm-ca
    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
            Public-Key: (256 bit)
            pub:
                ...
                ...
                ...
                ...
            ASN1 OID: prime256v1
            NIST CURVE: P-256
    X509v3 extensions:
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Subject Key Identifier:
            ...
Signature Algorithm: ecdsa-with-SHA256
     ...
     ...
     ...
     ...

You can see the range of validity is between Oct 24 20:25:00 2018 GMT and Oct 19 20:25:00 2038 GMT. If the machine trying to join the swarm doesn't have its clock in that interval, it will fail with that error.

John Steidley
  • 3
  • 2
Hennadii Mashentsev
  • 176
  • 2
  • 5
5

this error generate when time not sync in your nodes. after initial swarm 

docker swarm init

you can see limitation time for swarm certificate with bellow command

docker swarm ca | openssl x509 -noout -text

your node time must be between

Validity
Not Before: Feb 20 10:21:00 2019 GMT
Not After : Feb 15 10:21:00 2039 GMT

and for setting node time in linux can use 'timedatectl' command

for automatic sync time , you can use follow command in every node

timedatectl set-timezone asia/Tehran
timedatectl set-ntp on

and you can show all timezone with 

timedatectl list-timezones
aram yazdanpanah
  • 75
  • 1
  • 4
1

Simply deleted certificate and restarting service worked for me.

Murtuza Kolasavala
  • 334
  • 1
  • 10
0

I solved it by setting the same date on both machines.

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Tadikus
  • 1
0

Indeed, the date and time was not synchronized between VMs where docker nodes were running:

The following commands helped me to overcome the issue:

systemctl stop ntpd ;  ntpdate *server* ; systemctl start ntpd

As docs state:

ntpdate sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the server arguments to determine the correct time

rok
  • 9,403
  • 17
  • 70
  • 126
0

I did the following and its work for me

  • Change the time zone (GMT can be changed based on the time zone in the control node):

    timedatectl set-timezone GMT

  • Change the format of the Date in the node machine

    date --set "Tue 2021-12-21 17:18:07 GMT"

Tip: Get the date format from the swarm master node by running this command

docker swarm ca | openssl x509 -noout -text | grep "Not Before"
Naren Chejara
  • 1,124
  • 10
  • 7