External CA is not being accepted by new swarm node

[splytech]

Description

Following the little documentation for setting a swarmkit cluster based on the following URL:

https://docs.docker.com/engine/reference/commandline/swarm_init/

While I am using RPi's to do this, I am doing nothing more than setting up a basic swarm cluster using an external CA with the cfssl service.

I am using a local compiled version of cfssl:

cfssl version:
Version: 1.2.0
Revision: dev
Runtime: go1.8.1

I could be doing something wrong but I am not sure what I am missing. It appears to be a bug and there isn't much on setting up an external CA with swarmkit.

Steps to reproduce the issue:

1. Setup a CA cert with cfssl, on the manager node:

ca-csr.json:

{
    "CN": "piworkernet",
    "hosts": [
        "piworkernet.net",
        "www.piworkernet.net"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "ST": "CA",
            "L": "London",
        "O": "piworkernet",
        "OU": "pidocker"
        }
    ]
}

To create the ca itself:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

2. Setup the cert on both the manager and the worker node:
   Copy and update the ca certificates globally:

sudo cp ~/ca.pem /usr/local/share/ca-certificates/piworkernet.crt
cd /usr/local/share/ca-certificates/
sudo mkdir piworkernet && cd piworkernet
sudo cp ~/ca.pem ./ca.crt
sudo update-ca-certificates

Yes, I copied it twice because I am not sure which one dockerd will pick up.

3. Start cfssl server on manager:
   NOTE: Local IP for the manager: 10.0.20.130
   Command:

cfssl serve -ca ca.pem -ca-key ca-key.pem -config ca-config.json -address=10.0.20.130 

Output:

2017/05/16 01:33:53 [INFO] Initializing signer
2017/05/16 01:33:53 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
2017/05/16 01:33:53 [INFO] bundler API ready
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
2017/05/16 01:33:53 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
2017/05/16 01:33:53 [INFO] endpoint '/' is enabled
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/info' is enabled
2017/05/16 01:33:53 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config)
2017/05/16 01:33:53 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config)
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
2017/05/16 01:33:53 [WARNING] endpoint 'authsign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
2017/05/16 01:33:53 [INFO] setting up key / CSR generator
2017/05/16 01:33:53 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
2017/05/16 01:33:53 [INFO] Handler set up complete.
2017/05/16 01:33:53 [INFO] Now listening on 10.0.20.130:8888

4. Init Swarm Cluster on manager node:

docker swarm init --advertise-addr 10.0.20.130 --external-ca protocol=cfssl,url=http://10.0.20.130:8888/api/v1/cfssl/sign

Log output during init, w/ debug mode on:

May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.328995224Z" level=debug msg="Calling GET /_ping"
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.593284786Z" level=debug msg="Calling GET /_ping"
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.597594217Z" level=debug msg="Calling POST /v1.29/swarm/init"
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.599448415Z" level=debug msg="form data: {\"AdvertiseAddr\":\"10.0.20.130\",\"AutoLockManagers\":false,\"Availability\":\"\",\"ForceNewCluster\":false,\"ListenAddr\":\"0.0.0.0:2377\",\"Spec\":{\"CAConfig\":{\"ExternalCAs\":[{\"Protocol\":\"cfssl\",\"URL\":\"http://10.0.20.130:8888/api/v1/cfssl/sign\"}]},\"Dispatcher\":{},\"EncryptionConfig\":{\"AutoLockManagers\":false},\"Labels\":null,\"Orchestration\":{},\"Raft\":{\"ElectionTick\":0,\"HeartbeatTick\":0},\"TaskDefaults\":{}}}"
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.755405921Z" level=debug msg="generated CA key and certificate" module=node
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.755650762Z" level=debug msg="no node credentials found in: /var/lib/docker/swarm/certificates/swarm-node.crt" error="open /var/lib/docker/swarm/certificates/swarm-node.key: no such file or directory" module=node
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.837578689Z" level=debug msg="issued new TLS certificate" module="node/tls" node.id=t5pusiwwxwrpy16wddkg1d7a3 node.role=swarm-manager
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.839163254Z" level=debug msg="new node credentials generated: /var/lib/docker/swarm/certificates/swarm-node.crt" module="node/tls" node.id=t5pusiwwxwrpy16wddkg1d7a3 node.role=swarm-manager
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.857974396Z" level=debug msg="next certificate renewal scheduled for 1631h54m42.142117478s from now" module="node/tls" node.id=t5pusiwwxwrpy16wddkg1d7a3 node.role=swarm-manager time=2017-07-23 01:30:00.000002708 +0000 UTC
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.889961534Z" level=info msg="Listening for connections" addr="[::]:2377" module=node node.id=t5pusiwwxwrpy16wddkg1d7a3 proto=tcp
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.890043147Z" level=info msg="Listening for local connections" addr="/var/run/docker/swarm/control.sock" module=node node.id=t5pusiwwxwrpy16wddkg1d7a3 proto=unix
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.905902864Z" level=info msg="7340972b77480346 became follower at term 0" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.906074216Z" level=info msg="newRaft 7340972b77480346 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.906171194Z" level=info msg="7340972b77480346 became follower at term 1" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.912924764Z" level=info msg="7340972b77480346 is starting a new election at term 1" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.913175646Z" level=info msg="7340972b77480346 became candidate at term 2" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.913323769Z" level=info msg="7340972b77480346 received MsgVoteResp from 7340972b77480346 at term 2" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.913440695Z" level=info msg="7340972b77480346 became leader at term 2" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.913517049Z" level=info msg="raft.node: 7340972b77480346 elected leader 7340972b77480346 at term 2" module=raft node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.916513525Z" level=info msg="Creating default ingress network" module=node node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.921649404Z" level=debug msg="RequestPool(GlobalDefault, 10.255.0.0/16, , map[], false)"
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.921907474Z" level=debug msg="RequestAddress(GlobalDefault/10.255.0.0/16, <nil>, map[RequestAddressType:com.docker.network.gateway])"
May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.931283462Z" level=debug msg="Updating security config due to change in cluster Root CA" cluster.id=yxar145djq2bswnhyv71cpokb method="(*Server).UpdateRootCA" module=ca node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.008212852Z" level=debug msg="(*Agent).run" module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.044459577Z" level=debug msg="(*session).start" module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.048695311Z" level=debug msg="Root CA updated successfully" cluster.id=yxar145djq2bswnhyv71cpokb method="(*Server).UpdateRootCA" module=ca node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.048897288Z" level=debug msg="Updating security config due to change in cluster Root CA or cluster spec" cluster.id=yxar145djq2bswnhyv71cpokb method="(*Server).UpdateRootCA" module=ca node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.052690422Z" level=debug msg="RequestAddress(GlobalDefault/10.255.0.0/16, <nil>, map[])"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.054578005Z" level=debug msg="node status updated" method="(*Dispatcher).processUpdates" module=dispatcher node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.073626747Z" level=debug method="(*session).logSubscriptions" module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3 session.id=ncb3w5ocs8enxwab8ckrrn1wf
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.075372874Z" level=debug method="(*session).watch" module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3 session.id=ncb3w5ocs8enxwab8ckrrn1wf
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.075617246Z" level=debug msg="(*session).heartbeat" module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3 session.id=ncb3w5ocs8enxwab8ckrrn1wf
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.075372926Z" level=debug msg="(*session).listen" module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3 session.id=ncb3w5ocs8enxwab8ckrrn1wf
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.077254519Z" level=debug msg="node registered" method="(*LogBroker).ListenSubscriptions" node=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.078274507Z" level=debug method="(*Dispatcher).Assignments" node.id=t5pusiwwxwrpy16wddkg1d7a3 node.session=ncb3w5ocs8enxwab8ckrrn1wf
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.082916278Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=10.0.20.130 Adv-addr=10.0.20.130 Remote-addr ="
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.083101172Z" level=debug msg="(*worker).Assign" len(assignments)=0 module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.083331429Z" level=debug msg="(*worker).reconcileSecrets" len(removedSecrets)=0 len(updatedSecrets)=0 module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.083433095Z" level=debug msg="(*worker).reconcileTaskState" len(removedTasks)=0 len(updatedTasks)=0 module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.087128522Z" level=debug msg="agent: registered" module="node/agent" node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.087562423Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=10.0.20.130 Adv-addr=10.0.20.130 Remote-addr ="
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.087976637Z" level=info msg="Gossip cluster hostname pi3coreserver-477a29027df3"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.088236426Z" level=debug msg="Encryption key 1: f153a"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.088301321Z" level=debug msg="Encryption key 2: 8f4f1"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.088353143Z" level=debug msg="Encryption key 3: 31cb9"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.091135768Z" level=debug msg="Initial encryption keys: [(key: 44332, tag: 0xce33) (key: 55585, tag: 0xce32) (key: a8ba1, tag: 0xce34)]"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.093016528Z" level=debug msg="Initial encryption keys: [(key: 44332, tag: 0xce33) (key: 55585, tag: 0xce32) (key: a8ba1, tag: 0xce34)]"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.094449845Z" level=debug msg="Allocating IPv4 pools for network ingress (da6bdp3kszj1podctsott7wiw)"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.094595573Z" level=debug msg="RequestPool(LocalDefault, 10.255.0.0/16, , map[], false)"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.094941402Z" level=debug msg="RequestAddress(LocalDefault/10.255.0.0/16, 10.255.0.1, map[RequestAddressType:com.docker.network.gateway])"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.095132702Z" level=debug msg="overlay: Received vxlan IDs: 4096"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.095265409Z" level=debug msg="/sbin/iptables, [--wait -t mangle -C OUTPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j MARK --set-mark 13681891]"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.111976626Z" level=debug msg="Updating security config due to change in cluster Root CA or cluster spec" cluster.id=yxar145djq2bswnhyv71cpokb method="(*Server).UpdateRootCA" module=node node.id=t5pusiwwxwrpy16wddkg1d7a3
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.118576760Z" level=debug msg="Calling GET /v1.29/nodes/t5pusiwwxwrpy16wddkg1d7a3"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.127713375Z" level=debug msg="/sbin/iptables, [--wait -t filter -C INPUT -m policy --dir in --pol ipsec -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j ACCEPT]"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.130717820Z" level=debug msg="Calling GET /v1.29/swarm"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.139022778Z" level=debug msg="/sbin/iptables, [--wait -t filter -C INPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j DROP]"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.150966185Z" level=debug msg="pi3coreserver-477a29027df3: joined network da6bdp3kszj1podctsott7wiw"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.151092277Z" level=debug msg="pi3coreserver-477a29027df3: Initiating bulk sync with nodes [pi3coreserver-477a29027df3]"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.151707270Z" level=debug msg="/sbin/iptables, [--wait -t filter -L DOCKER-INGRESS]"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.357188070Z" level=debug msg="Assigning addresses for endpoint ingress-endpoint's interface on network ingress"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.357351662Z" level=debug msg="RequestAddress(LocalDefault/10.255.0.0/16, 10.255.0.2, map[])"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.363363001Z" level=debug msg="Assigning addresses for endpoint ingress-endpoint's interface on network ingress"
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.370504118Z" level=error msg="Failed to create testvxlan interface: error creating vxlan interface: operation not supported"
May 16 01:35:18 pi3coreserver kernel: [315751.833142] br0: renamed from ov-001000-da6bd
May 16 01:35:18 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:18.590359599Z" level=error msg="Failed joining ingress sandbox to ingress endpoint: subnet sandbox join failed for \"10.255.0.0/16\": error creating vxlan interface: operation not supported"

5. Join the worker node:

Command on worker:

docker swarm join \
>     --token SWMTKN-1-3m1d6ra0gpj4gs5dyo1o5pd3t521m5a9t102zk18ojev2deqcd-8gltbkjrl8y98e0mrq33nljbz \
>     10.0.20.130:2377

Log during worker failure:

May 16 01:26:36 pizdocker1 systemd[1]: Started Docker Application Container Engine.
May 16 01:26:36 pizdocker1 dockerd[8522]: time="2017-05-16T01:26:36.554780842Z" level=info msg="API listen on /var/run/docker.sock"
May 16 01:26:36 pizdocker1 dockerd[8522]: time="2017-05-16T01:26:36.555594842Z" level=info msg="API listen on 10.0.11.2:2376"
May 16 01:26:43 pizdocker1 dockerd[8522]: time="2017-05-16T01:26:43.066865555Z" level=debug msg="Calling GET /_ping"
May 16 01:26:43 pizdocker1 dockerd[8522]: time="2017-05-16T01:26:43.099027539Z" level=debug msg="Calling GET /v1.29/info"
May 16 01:40:34 pizdocker1 dockerd[8522]: time="2017-05-16T01:40:34.302342476Z" level=debug msg="Calling GET /_ping"
May 16 01:40:34 pizdocker1 rsyslogd-2007: action 'action 17' suspended, next retry is Tue May 16 01:42:04 2017 [try http://www.rsyslog.com/e/2007 ]
May 16 01:40:34 pizdocker1 dockerd[8522]: time="2017-05-16T01:40:34.315925469Z" level=debug msg="Calling GET /v1.29/info"
May 16 01:40:59 pizdocker1 dockerd[8522]: time="2017-05-16T01:40:59.448975611Z" level=debug msg="Calling GET /_ping"
May 16 01:41:00 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:00.060481322Z" level=debug msg="Calling GET /_ping"
May 16 01:41:00 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:00.079034313Z" level=debug msg="Calling POST /v1.29/swarm/join"
May 16 01:41:00 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:00.083550311Z" level=debug msg="form data: {\"AdvertiseAddr\":\"\",\"Availability\":\"\",\"JoinToken\":\"*****\",\"ListenAddr\":\"0.0.0.0:2377\",\"RemoteAddrs\":[\"10.0.20.130:2377\"]}"
May 16 01:41:00 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:00.458580134Z" level=debug msg="retrieved remote CA certificate: /var/lib/docker/swarm/certificates/swarm-root-ca.crt" module=node
May 16 01:41:00 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:00.462288132Z" level=debug msg="downloaded CA certificate" module=node
May 16 01:41:00 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:00.462953132Z" level=debug msg="no node credentials found in: /var/lib/docker/swarm/certificates/swarm-node.crt" error="open /var/lib/docker/swarm/certificates/swarm-node.key: no such file or directory" module=node
May 16 01:41:01 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:01.038571860Z" level=error msg="failed to request save new certificate" error="x509: certificate signed by unknown authority" module="node/tls"
May 16 01:41:01 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:01.042770858Z" level=error msg="cluster exited with error: x509: certificate signed by unknown authority"
May 16 01:41:01 pizdocker1 dockerd[8522]: time="2017-05-16T01:41:01.048404855Z" level=error msg="Handler for POST /v1.29/swarm/join returned error: x509: certificate signed by unknown authority"

Log from the manager for the same event:

May 16 01:39:30 pi3coreserver dockerd[6236]: time="2017-05-16T01:39:30.551167183Z" level=debug msg="Calling GET /_ping"
May 16 01:39:30 pi3coreserver dockerd[6236]: time="2017-05-16T01:39:30.553821841Z" level=debug msg="Calling GET /v1.29/swarm"
May 16 01:39:30 pi3coreserver dockerd[6236]: time="2017-05-16T01:39:30.560401350Z" level=debug msg="Calling GET /v1.29/info"
May 16 01:39:30 pi3coreserver dockerd[6236]: time="2017-05-16T01:39:30.606321460Z" level=debug msg="Calling GET /v1.29/nodes/t5pusiwwxwrpy16wddkg1d7a3"
May 16 01:39:30 pi3coreserver dockerd[6236]: time="2017-05-16T01:39:30.613553098Z" level=debug msg="Calling GET /v1.29/swarm"
May 16 01:39:56 pi3coreserver dockerd[6236]: time="2017-05-16T01:39:56.004692216Z" level=debug msg="Calling GET /_ping"
May 16 01:39:56 pi3coreserver dockerd[6236]: time="2017-05-16T01:39:56.007612131Z" level=debug msg="Calling GET /v1.29/info"
May 16 01:41:00 pi3coreserver dockerd[6236]: time="2017-05-16T01:41:00.888428027Z" level=debug msg="RequestAddress(GlobalDefault/10.255.0.0/16, <nil>, map[])"
May 16 01:41:00 pi3coreserver rsyslogd-2007: action 'action 17' suspended, next retry is Tue May 16 01:42:30 2017 [try http://www.rsyslog.com/e/2007 ]
May 16 01:41:00 pi3coreserver dockerd[6236]: time="2017-05-16T01:41:00.888368809Z" level=debug msg="new certificate entry added" method=IssueNodeCertificate node.id=lupxyz3540mozq64ehvze47k3 node.role=WORKER
May 16 01:41:00 pi3coreserver dockerd[6236]: time="2017-05-16T01:41:00.902339277Z" level=debug msg="started watching for certificate updates" method=NodeCertificateStatus node.id=lupxyz3540mozq64ehvze47k3 status={PENDING }
May 16 01:41:01 pi3coreserver dockerd[6236]: time="2017-05-16T01:41:01.025868101Z" level=debug msg="certificate issued" method="(*Server).signNodeCert" module=ca node.id=lupxyz3540mozq64ehvze47k3 node.role=WORKER
May 16 01:41:01 pi3coreserver dockerd[6236]: time="2017-05-16T01:41:01.127878207Z" level=debug msg="certificate issued" method="(*Server).signNodeCert" module=ca node.id=lupxyz3540mozq64ehvze47k3 node.role=WORKER

Log output from the cfssl server:

2017/05/16 01:41:00 [INFO] signature request received
2017/05/16 01:41:01 [INFO] signed certificate with serial number 319411067249206302477646405448783018625588284486
2017/05/16 01:41:01 [INFO] wrote response
2017/05/16 01:41:01 [INFO] 10.0.20.130:57464 - "POST /api/v1/cfssl/sign" 200
2017/05/16 01:41:01 [INFO] signature request received
2017/05/16 01:41:01 [INFO] signed certificate with serial number 536477945527195995995792321903226089752622670549
2017/05/16 01:41:01 [INFO] wrote response
2017/05/16 01:41:01 [INFO] 10.0.20.130:57464 - "POST /api/v1/cfssl/sign" 200

Describe the results you received:

The result was a simple and cryptic error from the worker:

Error response from daemon: x509: certificate signed by unknown authority

Describe the results you expected:

A clean connection from the swarm worker to the manager with the external CA.

Additional information you deem important (e.g. issue happens only occasionally):

This is extremely repeatable. I put the cert all over the place on the system as well as added certs to the daemon config like so:

{
        "hosts": ["tcp://10.0.20.130:2376", "unix:///var/run/docker.sock"],
        "dns": ["8.8.8.8", "8.8.4.4"],
        "tlsverify": true,
        "tlscacert": "/opt/certs/ca.pem",
        "tlscert": "/opt/certs/pi3coreserver.pem",
        "tlskey": "/opt/certs/pi3coreserver-key.pem",
        "debug": true
}

I put the cert in the following locations:

/usr/local/share/ca-certificates/ca.crt
/usr/local/share/ca-certificates/ca-local.crt
/usr/local/share/ca-certificates/piworkernet.crt
/usr/local/share/ca-certificates/piworkernet/ca.crt
/etc/docker/certs.d/piworkernet/ca.crt

Output of docker version:
For manager node:

Client:
 Version:      17.05.0-ce
 API version:  1.29
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:30:54 2017
 OS/Arch:      linux/arm

Server:
 Version:      17.05.0-ce
 API version:  1.29 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:30:54 2017
 OS/Arch:      linux/arm
 Experimental: false

For client node:

Client:
 Version:      17.05.0-ce
 API version:  1.29
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:30:54 2017
 OS/Arch:      linux/arm

Server:
 Version:      17.05.0-ce
 API version:  1.29 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:30:54 2017
 OS/Arch:      linux/arm
 Experimental: false

Output of docker info:

For manager node after worker node connection attempt:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 3
Server Version: 17.05.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: active
 NodeID: t5pusiwwxwrpy16wddkg1d7a3
 Is Manager: true
 ClusterID: yxar145djq2bswnhyv71cpokb
 Managers: 1
 Nodes: 2
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  External CAs:
    cfssl: http://10.0.20.130:8888/api/v1/cfssl/sign
 Node Address: 10.0.20.130
 Manager Addresses:
  10.0.20.130:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Kernel Version: 4.4.50-v7+
Operating System: Raspbian GNU/Linux 8 (jessie)
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 925.5MiB
Name: pi3coreserver
ID: 3ZNS:66AM:54YT:D5BN:Z7GU:SPL4:ANPK:AA4B:5HCJ:2LCH:F7TN:YRTC
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 30
 Goroutines: 124
 System Time: 2017-05-16T01:49:59.739391665Z
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpuset support

For worker node after connection attempt:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 2
Server Version: 17.05.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Kernel Version: 4.9.24+
Operating System: Raspbian GNU/Linux 8 (jessie)
OSType: linux
Architecture: armv6l
CPUs: 1
Total Memory: 481.7MiB
Name: pizdocker1
ID: OBJL:BQ4U:YEDI:I4T2:VEIL:G5DA:3GJD:MUEX:T7AM:3JMQ:GOHT:IIXN
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 17
 Goroutines: 23
 System Time: 2017-05-16T01:53:55.055424678Z
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpuset support

Additional environment details (AWS, VirtualBox, physical, etc.):
There are 2 RPI's in use but it appears to matter little to allow this to work.

[thaJeztah]

ping @cyli @diogomonica PTAL

[cyli]

To start up a node with an external cert, I believe you have to put it in /var/lib/docker/swarm/certificates/swarm-root-ca.crt before running swarm init. That tells swarm to use that CA when starting up, rather than generating its own. Looking at the output from your docker swarm init, it looks like the manager generated its own CA cert and key:

May 16 01:35:17 pi3coreserver dockerd[6236]: time="2017-05-16T01:35:17.755405921Z" level=debug msg="generated CA key and certificate" module=node

The swarm CA first tries to sign with the external CA, which succeeds, but has a different root CA than the swarm, and returns that cert to the worker. The worker can't validate it with the swarm CA, though, because it's different.

The swarm manager would attempt to validate the external CA's TLS connection using its own root cert, but because the external server is over http, rather than https, it didn't seem to error.

FWIW, we are working on a feature that makes it easier to rotate the swarm CA to an external CA (see docker/cli#48), but in the meantime, before you initialize the first manager node, please place the external CA cert in /var/lib/docker/swarm/certificates/swarm-root-ca.crt.

We will also disallow non-https external URLs as part of that feature, so hopefully the error message would be more useful as well (there should be a verification error on the manager, not the worker).

[cyli]

Hm... actually 17.05 already disallows updating to external CA URLs without https. I think we also need to add the validation to init. I've filed an issue to address that.

(the above comment still applies, this is just an additional defect :))

[splytech]

First, I appreciate the information. I tried it out but it looks like it overwrites the CA that I put there even after I put it there.

Before swarm init:

root@pi3coreserver:/var/lib/docker/swarm/certificates# ls -alL
total 20
drwxr-xr-x 2 root root 4096 May 17 01:07 .
drwx------ 3 root root 4096 May 17 01:05 ..
-rw-r--r-- 1 root root 1562 May 17 01:06 swarm-node.crt
-rw-r--r-- 1 root root 1679 May 17 01:07 swarm-node.key
-rw-r--r-- 1 root root 1322 May 17 01:05 swarm-root-ca.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-node.crt 
e11fc40135e4f83341c6417ca7459eb7  swarm-node.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-node.key 
c8f7196d4169febc3c0d427aa33fe718  swarm-node.key
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-root-ca.crt 
266b3f72c618ac65de7b83fd69d3024a  swarm-root-ca.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/ca.pem 
266b3f72c618ac65de7b83fd69d3024a  /opt/certs/ca.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/pi3coreserver.pem 
e11fc40135e4f83341c6417ca7459eb7  /opt/certs/pi3coreserver.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/pi3coreserver-key.pem 
c8f7196d4169febc3c0d427aa33fe718  /opt/certs/pi3coreserver-key.pem

After swarm init:

root@pi3coreserver:/var/lib/docker/swarm/certificates# ls -alL
total 20
drwxr-xr-x 2 root root 4096 May 17 01:09 .
drwx------ 5 root root 4096 May 17 01:09 ..
-rw-r--r-- 1 root root  826 May 17 01:09 swarm-node.crt
-rw------- 1 root root  302 May 17 01:09 swarm-node.key
-rw-r--r-- 1 root root  550 May 17 01:09 swarm-root-ca.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum ./swarm-root-ca.crt 
1bf49e4335c08980e5bd7ec912ac7797  ./swarm-root-ca.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-node.crt 
16f3a73d211bbcbcae14f0276047b2aa  swarm-node.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-node.key 
c05b9a7c7cae17d9a7fcbb3805dcf78a  swarm-node.key

Log after doing the init:

May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.130706096Z" level=debug msg="Calling POST /v1.29/swarm/init"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.131365464Z" level=debug msg="form data: {\"AdvertiseAddr\":\"10.0.20.130\",\"AutoLockManagers\":false,\"Availability\":\"\",\"ForceNewCluster\":false,\"ListenAddr\":\"0.0.0.0:2377\",\"Spec\":{\"CAConfig\":{\"ExternalCAs\":[{\"Protocol\":\"cfssl\",\"URL\":\"https://10.0.20.130:8888/api/v1/cfssl/sign\"}]},\"Dispatcher\":{},\"EncryptionConfig\":{\"AutoLockManagers\":false},\"Labels\":null,\"Orchestration\":{},\"Raft\":{\"ElectionTick\":0,\"HeartbeatTick\":0},\"TaskDefaults\":{}}}"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.280708267Z" level=debug msg="generated CA key and certificate" module=node
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.280935713Z" level=debug msg="no node credentials found in: /var/lib/docker/swarm/certificates/swarm-node.crt" error="open /var/lib/docker/swarm/certificates/swarm-node.key: no such file or directory" module=node
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.360851823Z" level=debug msg="issued new TLS certificate" module="node/tls" node.id=s4budc4xoxyu9jvq0g7xonyfx node.role=swarm-manager
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.362430295Z" level=debug msg="new node credentials generated: /var/lib/docker/swarm/certificates/swarm-node.crt" module="node/tls" node.id=s4budc4xoxyu9jvq0g7xonyfx node.role=swarm-manager
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.380048125Z" level=debug msg="next certificate renewal scheduled for 1201h54m16.620032916s from now" module="node/tls" node.id=s4budc4xoxyu9jvq0g7xonyfx node.role=swarm-manager time=2017-07-06 03:04:00.000002656 +0000 UTC
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.397402155Z" level=info msg="Listening for connections" addr="[::]:2377" module=node node.id=s4budc4xoxyu9jvq0g7xonyfx proto=tcp
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.397655381Z" level=info msg="Listening for local connections" addr="/var/run/docker/swarm/control.sock" module=node node.id=s4budc4xoxyu9jvq0g7xonyfx proto=unix
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.413399585Z" level=info msg="3ad2ff7b3e4c443a became follower at term 0" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.413551510Z" level=info msg="newRaft 3ad2ff7b3e4c443a [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.413629530Z" level=info msg="3ad2ff7b3e4c443a became follower at term 1" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.417121732Z" level=info msg="3ad2ff7b3e4c443a is starting a new election at term 1" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.417269334Z" level=info msg="3ad2ff7b3e4c443a became candidate at term 2" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.417355844Z" level=info msg="3ad2ff7b3e4c443a received MsgVoteResp from 3ad2ff7b3e4c443a at term 2" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.417464072Z" level=info msg="3ad2ff7b3e4c443a became leader at term 2" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.417542040Z" level=info msg="raft.node: 3ad2ff7b3e4c443a elected leader 3ad2ff7b3e4c443a at term 2" module=raft node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.420022950Z" level=info msg="Creating default ingress network" module=node node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.427705888Z" level=debug msg="RequestPool(GlobalDefault, 10.255.0.0/16, , map[], false)"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.427951927Z" level=debug msg="RequestAddress(GlobalDefault/10.255.0.0/16, <nil>, map[RequestAddressType:com.docker.network.gateway])"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.435126276Z" level=debug msg="Updating security config due to change in cluster Root CA" cluster.id=8uq1oj9bw1n7n0ibu6udtz5xt method="(*Server).UpdateRootCA" module=ca node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.503809279Z" level=debug msg="(*Agent).run" module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.525689353Z" level=debug msg="Root CA updated successfully" cluster.id=8uq1oj9bw1n7n0ibu6udtz5xt method="(*Server).UpdateRootCA" module=ca node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.525867789Z" level=debug msg="Updating security config due to change in cluster Root CA or cluster spec" cluster.id=8uq1oj9bw1n7n0ibu6udtz5xt method="(*Server).UpdateRootCA" module=ca node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.534247958Z" level=debug msg="RequestAddress(GlobalDefault/10.255.0.0/16, <nil>, map[])"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.545179819Z" level=debug msg="(*session).start" module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.637758291Z" level=debug msg="node status updated" method="(*Dispatcher).processUpdates" module=dispatcher node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.647141522Z" level=debug msg="(*session).listen" module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx session.id=9hoapc9fg00tlp54rok11hg44
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.647139439Z" level=debug method="(*session).watch" module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx session.id=9hoapc9fg00tlp54rok11hg44
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.647317875Z" level=debug msg="(*session).heartbeat" module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx session.id=9hoapc9fg00tlp54rok11hg44
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.647097044Z" level=debug method="(*session).logSubscriptions" module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx session.id=9hoapc9fg00tlp54rok11hg44
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.654159154Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=10.0.20.130 Adv-addr=10.0.20.130 Remote-addr ="
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.654334048Z" level=debug msg="agent: registered" module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.654532379Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=10.0.20.130 Adv-addr=10.0.20.130 Remote-addr ="
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.654834251Z" level=info msg="Gossip cluster hostname pi3coreserver-e8e6fcb4b1b1"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.654985447Z" level=debug msg="Encryption key 1: eb9b9"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.655044405Z" level=debug msg="Encryption key 2: f4de3"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.655096488Z" level=debug msg="Encryption key 3: 0f4b8"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.656206580Z" level=debug msg="Initial encryption keys: [(key: f83dd, tag: 0xa82) (key: ecf2e, tag: 0xa81) (key: 069ac, tag: 0xa83)]"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.657405786Z" level=debug msg="Initial encryption keys: [(key: f83dd, tag: 0xa82) (key: ecf2e, tag: 0xa81) (key: 069ac, tag: 0xa83)]"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.658672803Z" level=debug msg="Allocating IPv4 pools for network ingress (3eoeibg42edfz6e8ytz1bm4cv)"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.658819364Z" level=debug msg="RequestPool(LocalDefault, 10.255.0.0/16, , map[], false)"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.659013112Z" level=debug msg="RequestAddress(LocalDefault/10.255.0.0/16, 10.255.0.1, map[RequestAddressType:com.docker.network.gateway])"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.659164100Z" level=debug msg="overlay: Received vxlan IDs: 4096"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.659293786Z" level=debug msg="/sbin/iptables, [--wait -t mangle -C OUTPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j MARK --set-mark 13681891]"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.663401554Z" level=debug msg="node registered" method="(*LogBroker).ListenSubscriptions" node=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.663733061Z" level=debug method="(*Dispatcher).Assignments" node.id=s4budc4xoxyu9jvq0g7xonyfx node.session=9hoapc9fg00tlp54rok11hg44
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.677004323Z" level=debug msg="Updating security config due to change in cluster Root CA or cluster spec" cluster.id=8uq1oj9bw1n7n0ibu6udtz5xt method="(*Server).UpdateRootCA" module=node node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.681029331Z" level=debug msg="(*worker).Assign" len(assignments)=0 module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.681214850Z" level=debug msg="(*worker).reconcileSecrets" len(removedSecrets)=0 len(updatedSecrets)=0 module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.681313547Z" level=debug msg="(*worker).reconcileTaskState" len(removedTasks)=0 len(updatedTasks)=0 module="node/agent" node.id=s4budc4xoxyu9jvq0g7xonyfx
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.684593042Z" level=debug msg="Calling GET /v1.29/nodes/s4budc4xoxyu9jvq0g7xonyfx"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.690783287Z" level=debug msg="/sbin/iptables, [--wait -t filter -C INPUT -m policy --dir in --pol ipsec -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j ACCEPT]"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.696085417Z" level=debug msg="Calling GET /v1.29/swarm"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.702535764Z" level=debug msg="/sbin/iptables, [--wait -t filter -C INPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j DROP]"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.714589383Z" level=debug msg="pi3coreserver-e8e6fcb4b1b1: joined network 3eoeibg42edfz6e8ytz1bm4cv"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.714726725Z" level=debug msg="pi3coreserver-e8e6fcb4b1b1: Initiating bulk sync with nodes [pi3coreserver-e8e6fcb4b1b1]"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.715034013Z" level=debug msg="/sbin/iptables, [--wait -t filter -L DOCKER-INGRESS]"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.919761631Z" level=debug msg="Assigning addresses for endpoint ingress-endpoint's interface on network ingress"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.919923869Z" level=debug msg="RequestAddress(LocalDefault/10.255.0.0/16, 10.255.0.2, map[])"
May 17 01:09:43 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:43.924946783Z" level=debug msg="Assigning addresses for endpoint ingress-endpoint's interface on network ingress"
May 17 01:09:44 pi3coreserver dockerd[6236]: time="2017-05-17T01:09:44.150254333Z" level=error msg="Failed joining ingress sandbox to ingress endpoint: subnet sandbox join failed for \"10.255.0.0/16\": error creating vxlan interface: operation not supported"

Now it appears that the certs get overwritten when swarm init is run. I am doesn't appear to accept the CA I supply based on the path above. Also it appears that if I turn on cfssl's TLS mode with certs from the same CA doesn't appear to be accepted by the engine, assuming it is due to the same issue. I assume there is something else I need to do to initiate this correctly.

[cyli]

@splytech - Could you manually get a cert and key from the external CA as well and place them into the files swarm-node.crt and swarm-node.key before doing a swarm init as well?

The cert should have an OU=swarm-manager, and SANs (in addition to whatever you set the common name to be) DNS:swarm-manager and DNS:swarm-ca.

[splytech]

Config of new server cert using cfssl:

{
    "CN": "pi3coreserver",
    "hosts": [
        "swarm-manager",
        "swarm-ca",
        "pi3coreserver",
        "pi3coreserver.local",
        "pi3coreserver.piworkernet.net",
		...
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "ST": "CA",
            "L": "London",
            "O": "piworkernet",
            "OU": "swarm-manager"
        }
    ]
}

Openssl Verification:

> openssl x509 -in pi3coreserver.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            62:b1:2e:1a:b5:d2:3e:07:c5:61:11:68:60:89:53:be:e4:cc:de:89
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=London, O=piworkernet, OU=pidocker, CN=piworkernet
        Validity
            Not Before: May 17 10:04:00 2017 GMT
            Not After : May 17 10:04:00 2018 GMT
        Subject: C=US, ST=CA, L=London, O=piworkernet, OU=swarm-manager, CN=pi3coreserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9c:c9:54:9b:a1:5e:e6:b8:b8:43:52:21:cf:ce:
                    c1:65:ee:98:48:b1:90:f7:67:8a:a0:21:25:4c:6d:
                    50:ea:1d:0d:40:36:3e:5b:75:ed:3b:1a:a3:b6:f1:
                    e4:53:a1:84:47:ee:ed:dd:e7:49:ef:19:c2:e9:0c:
                    b7:6c:57:bc:74:cb:ef:b2:d0:1c:36:19:0c:fa:1f:
                    dd:f6:d6:72:df:83:27:4c:27:35:e9:12:e6:de:71:
                    66:90:ad:e0:9f:19:c7:57:71:99:a9:59:d2:f4:c3:
                    4d:b7:32:53:9a:e4:4a:dc:e1:8b:8f:76:5a:4c:7f:
                    fc:c6:d8:9f:2c:25:f2:cb:ea:32:7e:57:c5:5b:a0:
                    3e:92:8d:66:c7:f3:44:c5:3d:a8:93:c6:83:72:03:
                    1c:67:e6:d5:70:70:4f:75:ce:ec:d1:e9:14:3d:88:
                    6e:44:1e:2e:3b:9c:1d:a8:66:0c:b3:99:66:27:83:
                    e8:c0:7c:d7:6e:b7:bf:25:e9:55:7e:90:f7:6b:9d:
                    59:52:f7:93:74:c4:37:7e:72:58:ea:62:5b:ce:ba:
                    3c:1a:ae:d4:91:19:c8:59:0b:e1:8b:fc:ce:6b:65:
                    6b:26:53:03:a4:fa:30:31:87:43:d9:36:c0:92:e6:
                    88:79:9c:95:a4:3a:55:4f:e9:c5:26:3c:f2:5f:a9:
                    fe:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                AD:59:0A:D4:A8:35:FE:DF:B1:23:33:C3:34:EF:83:42:60:3E:3E:51
            X509v3 Authority Key Identifier: 
                keyid:D5:F7:CC:66:ED:A7:80:1A:70:A6:62:F1:2C:FB:BF:42:E8:AC:B9:79

            X509v3 Subject Alternative Name: 
                DNS:swarm-manager, DNS:swarm-ca, DNS:pi3coreserver, DNS:pi3coreserver.local, DNS:pi3coreserver.piworkernet.net, IP Address:10.0.20.130...
    Signature Algorithm: sha256WithRSAEncryption
         9e:e2:00:35:60:39:30:b4:57:ef:dd:8d:d7:21:db:d5:6a:9e:
         48:c2:19:25:06:24:74:bd:61:d0:32:c9:a8:42:8e:5a:35:08:
         67:d0:b1:93:95:41:b7:96:bf:7f:51:93:60:55:86:b5:86:c9:
         e2:c1:3d:0c:fc:55:9b:43:e4:19:89:28:d5:dc:8c:92:db:47:
         36:44:7c:6e:79:8d:f5:44:87:77:a1:2b:57:b7:16:56:ba:c2:
         84:8e:9f:39:79:b1:49:30:aa:cc:01:9a:6e:a0:b2:e7:8a:f1:
         3b:81:bd:e7:10:28:b5:03:c9:fc:ba:85:de:f2:ff:b9:9f:4c:
         3d:ce:bf:60:41:8e:50:53:de:88:e7:9a:58:d2:94:d4:df:da:
         68:10:05:4b:16:55:29:86:48:12:e5:51:6a:cb:3e:f2:2b:9e:
         b4:69:79:97:7b:14:16:72:23:24:42:33:d2:33:ce:66:57:c0:
         1f:ea:6c:b3:1b:fd:c1:e5:5e:80:f9:41:7e:77:44:2d:21:0b:
         29:5d:43:5c:95:43:d8:3e:3e:00:7a:f4:7b:ab:3d:d2:e1:3b:
         0f:31:c0:87:a8:dc:50:79:64:53:86:57:7f:4c:59:32:b9:b3:
         0d:cb:09:c6:bd:72:2d:bd:b2:01:8e:ac:a0:7e:b9:43:96:01:
         23:b6:d8:d0

Quick hash check before swarm init:

root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/ca.pem 
266b3f72c618ac65de7b83fd69d3024a  /opt/certs/ca.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-root-ca.crt 
266b3f72c618ac65de7b83fd69d3024a  swarm-root-ca.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/pi3coreserver.pem 
f588faafd625eb5bbcf01e674d76c63f  /opt/certs/pi3coreserver.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum ./swarm-node.crt 
f588faafd625eb5bbcf01e674d76c63f  ./swarm-node.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/pi3coreserver-key.pem 
73ffd207fee3da4e28d844faef488622  /opt/certs/pi3coreserver-key.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum ./swarm-node.key 
73ffd207fee3da4e28d844faef488622  ./swarm-node.key

For clarity the cfssl serve command line:

cfssl serve -ca /opt/certs/ca.pem -ca-key /opt/certs/ca-key.pem -config ca-config.json -tls-key /opt/certs/pi3coreserver-key.pem -tls-cert /opt/certs/pi3coreserver.pem -address=10.0.20.130

Startup Output:

2017/05/17 10:16:48 [INFO] Initializing signer
2017/05/17 10:16:48 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2017/05/17 10:16:48 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config)
2017/05/17 10:16:48 [INFO] setting up key / CSR generator
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
2017/05/17 10:16:48 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/info' is enabled
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
2017/05/17 10:16:48 [INFO] bundler API ready
2017/05/17 10:16:48 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
2017/05/17 10:16:48 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config)
2017/05/17 10:16:48 [INFO] endpoint '/' is enabled
2017/05/17 10:16:48 [WARNING] endpoint 'authsign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
2017/05/17 10:16:48 [INFO] Handler set up complete.
2017/05/17 10:16:48 [INFO] Now listening on https://10.0.20.130:8888

Swarm Directory and Certificate Directory after swarm init:

root@pi3coreserver:/var/lib/docker/swarm# ls -al
total 28
drwx------  5 root root 4096 May 17 10:20 .
drwx--x--x 12 root root 4096 May 16 01:09 ..
drwxr-xr-x  2 root root 4096 May 17 10:20 certificates
-rw-------  1 root root  106 May 17 10:20 docker-state.json
drwx------  4 root root 4096 May 17 10:20 raft
-rw-------  1 root root   67 May 17 10:20 state.json
drwxr-xr-x  2 root root 4096 May 17 10:20 worker
root@pi3coreserver:/var/lib/docker/swarm# cd certificates/
root@pi3coreserver:/var/lib/docker/swarm/certificates# ls -al
total 20
drwxr-xr-x 2 root root 4096 May 17 10:20 .
drwx------ 5 root root 4096 May 17 10:20 ..
-rw-r--r-- 1 root root  826 May 17 10:20 swarm-node.crt
-rw------- 1 root root  302 May 17 10:20 swarm-node.key
-rw-r--r-- 1 root root  554 May 17 10:20 swarm-root-ca.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-root-ca.crt 
84e26b13c80974841fb0389e3ee37017  swarm-root-ca.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/ca.pem 
266b3f72c618ac65de7b83fd69d3024a  /opt/certs/ca.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-node.crt 
21449d2bb70f9f6917e0f18905bfd5cb  swarm-node.crt
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/pi3coreserver.pem 
f588faafd625eb5bbcf01e674d76c63f  /opt/certs/pi3coreserver.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum /opt/certs/pi3coreserver-key.pem 
73ffd207fee3da4e28d844faef488622  /opt/certs/pi3coreserver-key.pem
root@pi3coreserver:/var/lib/docker/swarm/certificates# md5sum swarm-node.key 
22a636daec3b85eb8c9467d1727ae071  swarm-node.key
root@pi3coreserver:/var/lib/docker/swarm/certificates# 

Log from dockerd for swarm init after including the new certs:

msg="Calling GET /_ping"
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.601775599Z" level=debug msg="Calling GET /_ping"
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.605737379Z" level=debug msg="Calling POST /v1.29/swarm/init"
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.606367633Z" level=debug msg="form data: {\"AdvertiseAddr\":\"10.0.20.130\",\"AutoLockManagers\":false,\"Availability\":\"\",\"ForceNewCluster\":false,\"ListenAddr\":\"0.0.0.0:2377\",\"Spec\":{\"CAConfig\":{\"ExternalCAs\":[{\"Protocol\":\"cfssl\",\"URL\":\"https://10.0.20.130:8888/api/v1/cfssl/sign\"}]},\"Dispatcher\":{},\"EncryptionConfig\":{\"AutoLockManagers\":false},\"Labels\":null,\"Orchestration\":{},\"Raft\":{\"ElectionTick\":0,\"HeartbeatTick\":0},\"TaskDefaults\":{}}}"
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.757434553Z" level=debug msg="generated CA key and certificate" module=node
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.757681582Z" level=debug msg="no node credentials found in: /var/lib/docker/swarm/certificates/swarm-node.crt" error="open /var/lib/docker/swarm/certificates/swarm-node.key: no such file or directory" module=node
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.839542630Z" level=debug msg="issued new TLS certificate" module="node/tls" node.id=ulqfh17g1629d9bitkqy0ouxg node.role=swarm-manager
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.841296830Z" level=debug msg="new node credentials generated: /var/lib/docker/swarm/certificates/swarm-node.crt" module="node/tls" node.id=ulqfh17g1629d9bitkqy0ouxg node.role=swarm-manager
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.860019754Z" level=debug msg="next certificate renewal scheduled for 1293h8m22.140060088s from now" module="node/tls" node.id=ulqfh17g1629d9bitkqy0ouxg node.role=swarm-manager time=2017-07-10 07:29:00.000002552 +0000 UTC
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.875997291Z" level=info msg="Listening for connections" addr="[::]:2377" module=node node.id=ulqfh17g1629d9bitkqy0ouxg proto=tcp
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.876008541Z" level=info msg="Listening for local connections" addr="/var/run/docker/swarm/control.sock" module=node node.id=ulqfh17g1629d9bitkqy0ouxg proto=unix
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.895601404Z" level=info msg="30c62f2346c2a9b7 became follower at term 0" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.895758538Z" level=info msg="newRaft 30c62f2346c2a9b7 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.895840516Z" level=info msg="30c62f2346c2a9b7 became follower at term 1" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.898325645Z" level=info msg="30c62f2346c2a9b7 is starting a new election at term 1" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.898487102Z" level=info msg="30c62f2346c2a9b7 became candidate at term 2" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.898570226Z" level=info msg="30c62f2346c2a9b7 received MsgVoteResp from 30c62f2346c2a9b7 at term 2" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.898677673Z" level=info msg="30c62f2346c2a9b7 became leader at term 2" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.898752985Z" level=info msg="raft.node: 30c62f2346c2a9b7 elected leader 30c62f2346c2a9b7 at term 2" module=raft node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.901441914Z" level=info msg="Creating default ingress network" module=node node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.906045354Z" level=debug msg="RequestPool(GlobalDefault, 10.255.0.0/16, , map[], false)"
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.906319987Z" level=debug msg="RequestAddress(GlobalDefault/10.255.0.0/16, <nil>, map[RequestAddressType:com.docker.network.gateway])"
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.911088269Z" level=debug msg="Updating security config due to change in cluster Root CA" cluster.id=54kry8t6ayakufgto7di7z2yf method="(*Server).UpdateRootCA" module=ca node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.991368293Z" level=debug msg="(*Agent).run" module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.014691636Z" level=debug msg="Root CA updated successfully" cluster.id=54kry8t6ayakufgto7di7z2yf method="(*Server).UpdateRootCA" module=ca node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.014905801Z" level=debug msg="Updating security config due to change in cluster Root CA or cluster spec" cluster.id=54kry8t6ayakufgto7di7z2yf method="(*Server).UpdateRootCA" module=ca node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.029795016Z" level=debug msg="RequestAddress(GlobalDefault/10.255.0.0/16, <nil>, map[])"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.029795745Z" level=debug msg="(*session).start" module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.108905313Z" level=debug msg="node status updated" method="(*Dispatcher).processUpdates" module=dispatcher node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.117131266Z" level=debug msg="(*session).heartbeat" module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg session.id=o46ngsx972bfz0fohw34kg23b
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.117129027Z" level=debug method="(*session).logSubscriptions" module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg session.id=o46ngsx972bfz0fohw34kg23b
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.117295483Z" level=debug msg="(*session).listen" module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg session.id=o46ngsx972bfz0fohw34kg23b
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.117189130Z" level=debug method="(*session).watch" module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg session.id=o46ngsx972bfz0fohw34kg23b
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.119454470Z" level=debug msg="node registered" method="(*LogBroker).ListenSubscriptions" node=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.120218473Z" level=debug method="(*Dispatcher).Assignments" node.id=ulqfh17g1629d9bitkqy0ouxg node.session=o46ngsx972bfz0fohw34kg23b
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.125767892Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=10.0.20.130 Adv-addr=10.0.20.130 Remote-addr ="
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.125938099Z" level=debug msg="agent: registered" module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.126157524Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=10.0.20.130 Adv-addr=10.0.20.130 Remote-addr ="
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.126517520Z" level=info msg="Gossip cluster hostname pi3coreserver-ad0cdd1d338d"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.126770746Z" level=debug msg="Encryption key 1: 041d3"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.126842724Z" level=debug msg="Encryption key 2: e432d"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.126896109Z" level=debug msg="Encryption key 3: 0665f"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.128124898Z" level=debug msg="Initial encryption keys: [(key: 06fc6, tag: 0x434c) (key: 565a7, tag: 0x434b) (key: 5a057, tag: 0x434d)]"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.129733735Z" level=debug msg="Initial encryption keys: [(key: 06fc6, tag: 0x434c) (key: 565a7, tag: 0x434b) (key: 5a057, tag: 0x434d)]"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.126063358Z" level=debug msg="(*worker).Assign" len(assignments)=0 module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.131623038Z" level=debug msg="Allocating IPv4 pools for network ingress (lxydtn9ep4k65ox1bfp0jqx5a)"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.135727317Z" level=debug msg="RequestPool(LocalDefault, 10.255.0.0/16, , map[], false)"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.135863721Z" level=debug msg="(*worker).reconcileSecrets" len(removedSecrets)=0 len(updatedSecrets)=0 module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.135981585Z" level=debug msg="RequestAddress(LocalDefault/10.255.0.0/16, 10.255.0.1, map[RequestAddressType:com.docker.network.gateway])"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.135995699Z" level=debug msg="(*worker).reconcileTaskState" len(removedTasks)=0 len(updatedTasks)=0 module="node/agent" node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.136141062Z" level=debug msg="overlay: Received vxlan IDs: 4096"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.136287675Z" level=debug msg="/sbin/iptables, [--wait -t mangle -C OUTPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j MARK --set-mark 13681891]"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.144867479Z" level=debug msg="Updating security config due to change in cluster Root CA or cluster spec" cluster.id=54kry8t6ayakufgto7di7z2yf method="(*Server).UpdateRootCA" module=node node.id=ulqfh17g1629d9bitkqy0ouxg
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.157749997Z" level=debug msg="Calling GET /v1.29/nodes/ulqfh17g1629d9bitkqy0ouxg"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.165964180Z" level=debug msg="/sbin/iptables, [--wait -t filter -C INPUT -m policy --dir in --pol ipsec -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j ACCEPT]"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.171476048Z" level=debug msg="Calling GET /v1.29/swarm"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.179157892Z" level=debug msg="/sbin/iptables, [--wait -t filter -C INPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=1048576 -j DROP]"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.193125503Z" level=debug msg="pi3coreserver-ad0cdd1d338d: joined network lxydtn9ep4k65ox1bfp0jqx5a"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.193247585Z" level=debug msg="pi3coreserver-ad0cdd1d338d: Initiating bulk sync with nodes [pi3coreserver-ad0cdd1d338d]"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.193547373Z" level=debug msg="/sbin/iptables, [--wait -t filter -L DOCKER-INGRESS]"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.397737422Z" level=debug msg="Assigning addresses for endpoint ingress-endpoint's interface on network ingress"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.397902576Z" level=debug msg="RequestAddress(LocalDefault/10.255.0.0/16, 10.255.0.2, map[])"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.405205831Z" level=debug msg="Assigning addresses for endpoint ingress-endpoint's interface on network ingress"
May 17 10:20:38 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:38.630269770Z" level=error msg="Failed joining ingress sandbox to ingress endpoint: subnet sandbox join failed for \"10.255.0.0/16\": error creating vxlan interface: operation not supported"

The 3 lines that seems to ignore the generated ca and server cert:

May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.757434553Z" level=debug msg="generated CA key and certificate" module=node
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.757681582Z" level=debug msg="no node credentials found in: /var/lib/docker/swarm/certificates/swarm-node.crt" error="open /var/lib/docker/swarm/certificates/swarm-node.key: no such file or directory" module=node
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.839542630Z" level=debug msg="issued new TLS certificate" module="node/tls" node.id=ulqfh17g1629d9bitkqy0ouxg node.role=swarm-manager
May 17 10:20:37 pi3coreserver dockerd[6236]: time="2017-05-17T10:20:37.841296830Z" level=debug msg="new node credentials generated: /var/lib/docker/swarm/certificates/swarm-node.crt" module="node/tls" node.id=ulqfh17g1629d9bitkqy0ouxg node.role=swarm-manager

It appears to just immediately create a ca and ignore the external-ca command all together and/or not care there is a certificates directory on init. I did notice that on docker swarm leave --force, the whole swarm directory gets deleted. In the external CA case it may be worth making sure only the certificates directory remain as it would be a copy of the certs relevant to the external ca.

[thaJeztah]

@splytech since we're preparing the 17.06 release, would you be able to verify if this is a regression since docker 17.03?

[thaJeztah]

I'm adding this to the milestone and add a priority label, so that we don't overlook checking this.