Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates #346

Closed
hong-jiang opened this Issue Dec 12, 2015 · 36 comments

Projects

None yet
@hong-jiang

Got this error on trying create machine default, by clicking on Docker Quick Start Terminal.

Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": dial tcp 192.168.99.100:2376: i/o timeout

You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.

Tried to the following steps and nothing worked,

  1. upgraded virtualbox to the latest version 5.0.10 r104061
  2. regenerated the certs and got the same error
  3. removed all host-only networks from virtualbox
@mgcdanny

Hi,

Did you see this thread?

docker/machine#2136

This worked for me:

"As mentioned in the error line https://gist.github.com/gregory/3b3c4768df89adb3780d#file-debug-docker-machine-L202, you have conflicting / invalid host only interfaces. I'd recommend removing all of them that you can from the VirtualBox GUI -- (in menu bar: VirtualBox => Preferences => Network => Host-only networks). In your case, looks like vboxnet3 and vboxnet5 are the troubled ones."

@vmshah-github

I have the same problem.

Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": dial tcp
192.168.99.100:2376: connectex: No connection could be made because the target machine actively refused it.
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which will stop running containers.

I tried to recreate certificates but no help.
Following is output of regenerate-certs

$ docker-machine regenerate-certs default
Regenerate TLS machine certs? Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Detecting the provisioner...
Unable to verify the Docker daemon is listening: Maximum number of retries (5) exceeded

I did all the steps mentioned by hong-jiang.
I am getting this problem with windows 7 and often.
Every time this issue occurs i have to recreate my default vm. It will work for couple of days then will have the issue again.
Let me know if i need to post more debug info so that someone can help me.

@jeffdm jeffdm added the bug label Dec 22, 2015
@romansky

@mgcdanny suggestion worked for me, make sure you go to VirtualBox->preferences->network (as suggested) and not tempted to press the "Settings" button on the main screen.

@hong-jiang

@mgcdanny I read that thread before. Deleting host only networks did not work for me, I tried several times.

Today I tried the following and finally the default VM was up and running, without any errors!!!

  1. removed host only networks from Virtual Box.
  2. restart my laptop (sometimes, I think restart mac may do some tricks, believe or not. I did not do this step before.)
  3. uninstall docker. (I did not do this step before either.)
  4. install docker, 1.9.1f (this is a new version, my last one is 1.9.1c)
  5. launch Quickstart Terminal and default VM is up

Looking back to all the steps, I think probably the new version 1.9.1f is the key part for the success. So if you still see the issue, try uninstall and install this new one. Good Luck!!!

@hong-jiang hong-jiang closed this Dec 23, 2015
@sethcleveland

I saw this error using 1.9.1f on mac 10.10.5.

Error creating machine: Error checking the host: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": dial tcp 192.168.99.100:2376: i/o timeout

Based on some of the related issues, I resolved it by changing the hostonly-cidr to another private network. https://en.wikipedia.org/wiki/Private_network. And everything's hunky dory right now... Without knowing all the details, I guess the virtualbox hostonly interface conflicted with my home router. I also removed the other hostonly interfaces.

docker-machine create --driver virtualbox --virtualbox-hostonly-cidr "10.0.0.1/24" default
Running pre-create checks...
Creating machine...
(default) Creating VirtualBox VM...
(default) Creating SSH key...
(default) Starting VM...
Waiting for machine to be running, this may take a few minutes...
Machine is running, waiting for SSH to be available...
Detecting operating system of created instance...
Detecting the provisioner...
Provisioning with boot2docker...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
Checking connection to Docker...
Docker is up and running!
To see how to connect Docker to this machine, run: docker-machine env default

@rolandoasmat

I'm having the same issue. Running version DockerToolbox-1.9.1g on Mac OS X 10.11.2

@MultifokalHirn

@rolandoasmat do you have a VPN running? deactivating my VPN fixed it for me.

@arthurbailao

Same issue here too. Only one host-only interface but the error still happening.

@omghaxzs

I'm not sure which application is responsible for setting up routes to communicate with the guest but I found a pretty nasty workaround by manually adding the route.

My host-only interface:

[root@knox ~]# VBoxManage list hostonlyifs
Name:            vboxnet0
GUID:            786f6276-656e-4074-8000-0a0027000000
DHCP:            Disabled
IPAddress:       192.168.99.1
NetworkMask:     255.255.255.255
IPV6Address:     fe80:0000:0000:0000:0800:27ff:fe00:0000
IPV6NetworkMaskPrefixLength: 64
HardwareAddress: 0a:00:27:00:00:00
MediumType:      Ethernet
Status:          Up
VBoxNetworkName: HostInterfaceNetworking-vboxnet0

My docker machine:

[jenkins@knox root]$ docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL                         SWARM
jarvis   -        virtualbox   Running   tcp://192.168.99.100:2376

As expected, cannot ping:

[jenkins@knox root]$ ping 192.168.99.100
PING 192.168.99.100 (192.168.99.100) 56(84) bytes of data.
^C
--- 192.168.99.100 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms

Also as expected, cannot connect to remote daemon:

[jenkins@knox root]$ docker-machine env jarvis
Error running connection boilerplate: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": dial tcp 192.168.99.100:2376: i/o timeout
You can attempt to regenerate them using 'docker-machine regenerate-certs name'.
Be advised that this will trigger a Docker daemon restart which will stop running containers.

Looking at my routing table, there is no way to communicate:

[jenkins@knox root]$ ip route
default via 10.0.137.1 dev enp2s0  proto dhcp  src 10.0.201.2  metric 1024
10.0.0.0/8 dev enp2s0  proto kernel  scope link  src 10.0.201.2
10.0.137.1 dev enp2s0  proto dhcp  scope link  src 10.0.201.2  metric 1024
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1

So we manually add the route:

[root@knox ~]# ip route add 192.168.99.0/24 dev vboxnet0 src 192.168.99.1
[root@knox ~]# ip route
default via 10.0.137.1 dev enp2s0  proto dhcp  src 10.0.201.2  metric 1024
10.0.0.0/8 dev enp2s0  proto kernel  scope link  src 10.0.201.2
10.0.137.1 dev enp2s0  proto dhcp  scope link  src 10.0.201.2  metric 1024
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1
192.168.99.0/24 dev vboxnet0  scope link  src 192.168.99.1

We should be able to ping and run docker-machine env jarvis now.

[root@knox ~]# ping 192.168.99.100
PING 192.168.99.100 (192.168.99.100) 56(84) bytes of data.
64 bytes from 192.168.99.100: icmp_seq=1 ttl=64 time=0.863 ms
64 bytes from 192.168.99.100: icmp_seq=2 ttl=64 time=0.719 ms
^C
--- 192.168.99.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.719/0.791/0.863/0.072 ms
@Bartekus

@sethcleveland Thank you good sir, you've provided the best answer in this post and also the one that follows the proper ip ranges for private networks.

From the moment of noticing 'Error checking TLS connection' in my iterm, thru finding this post and applying your solution, the combine time was under 5 minutes!
Pure excellence!
For anybody else looking to resolve this issue, check what @sethcleveland has proposed as it's precisely what you need!

@jp-gorman

Yes, but this solution yet again assumes you want to kill your host machine and create a new one. It's unbelievable how unstable this deck of cards is for Docker, each week I come across something else that blows it out of the water. This time all was working until I upgraded to latest Toolbox. Yet again (nearly predictably at this stage) docker blew up the host machine in some way....

Now I have to go and see if I can hack some xml file to test @sethcleveland solution (if it's possible to do without creating a new host). Be nice if we had some Docker representatives feeding back to the community a little faster than an email every week to an individual. It's not like these are small issues, they are disabling docker hosts completely!

This issue is marked as closed but yet I see no comment on a solution, or history of who closed it and why ? No Assignee, nothing.... Does docker have a process ?

@Bartekus
Bartekus commented Feb 9, 2016

@jp-gorman

Yes, but this solution yet again assumes you want to kill your host machine and create a new one. It's unbelievable how unstable this deck of cards is for Docker, each week I come across something else that blows it out of the water. This time all was working until I upgraded to latest Toolbox. Yet again (nearly predictably at this stage) docker blew up the host machine in some way....

I'm not sure what you mean, but I shutdown and restart docker with each reboot and it works great for me. I upgrade and do whatever with other docker based software (azk.io for example, kitematic, docker terminal) as well and when I need it I bootup the docker-machine with the image I need when I need it, sometimes its the default, sometimes it's azk etc. I'm not sure why people want to run everything as a process but then again, from hacker perspective I like to be in control of what's running, why and when, while many people see things differently and do not. Have a look at azk.io, perhaps it will alleviate some of the pains you are having once you apply the sethcleveland 's solution.

Also check these, perhaps there could be something of use there fore you:
Easy Docker on OSX
Docker Machine on OSX
https://github.com/docker/machine/blob/8f82b762749bb8dcf52c6dd0774b927510c5e885/docs/reference/create.md
#102

Just my 2 cents, not really an answer to your question tho, sorry and good luck!

@tjaensch

hong-jiang's solution above worked for me. I had an older Docker version installed on my Mac that I hadn't used in a long time and ran into the problems described when I tried to start the default machine again, but removing host only networks from Virtual Box, un- and reinstall Docker, etc. did the trick finally.

@youngsterxyf

@sethcleveland 's solution worked for me. Thanks!

@kevinmeredith

On Mac OX Yosemite, when I got this error, I removed all host-only networks from virtualbox.

Then, I re-ran:

docker-machine create --driver virtualbox default
eval "$(docker-machine env default)"

successfully.

@samueltbrown

@kevinmeredith 's solution helped me when upgrading from 1.9.1 to 1.10.2. I believe that overwriting the default machine during the toolbox installation process didn't create the machine correctly.

I ran docker rm default and then @kevinmeredith 's steps above and I was back up and running.

@gabrieljoelc

I removed all host-only networks from virtualbox.

@kevinmeredith how did you do this?

@kevinmeredith

@gabrieljoelc

  • VirtualBox's Preferences
  • Go to Network tab
  • delete each of the Host-Only Network items

screen shot 2016-03-17 at 3 17 01 pm

@DanielHit

i have find this problem again. mac ox , just restart my mac and it works...

@snario
snario commented Apr 8, 2016

Upgrading VirtualBox worked for me.

@ebridger

New to Docker. Running OS 10.11.4. Got the TLS error when switching from work to my home network. VirtualBox => Preferences => Networks => localhosts remove, did not work. Had to re-install Docker Toolbox 1.10.3 That worked but still seems like a bug to me.
Update Turns out re-install was actually just an update. Did not loose previous container pulls.

@indyarocks

Restarting the Mac worked for me!

@1tylermitchell
1tylermitchell commented Apr 22, 2016 edited

I had this problem when Macbook shutdown due to dead battery - after powering back up I got these related errors.

To fix - I open virtualbox GUI and saw that Default was still running. I killed it and restarted Docker Quickstart Terminal and am up and running. This is probably why "restart" options above helped :)

@nucleardreamer

Same thing happened to me on OSX 10.11.4 (docker 1.10.3). For myself, all I had to do was a simple docker-machine stop default && docker-machine start default

@gneyal
gneyal commented Jun 13, 2016 edited

This worked for me:

docker-machine rm default && docker-machine create --driver virtualbox default && eval "$(docker-machine env default)"

@komocode

This thing keeps coming back. I regenerate certs fine. then a few days later, I suddenly can't connect to docker and this error re-appears.

@venkykuberan

I use Mac i ran into same issue. Getting out of VPN worked. It looks to me my IP is different when i go through VPN thus my certs aren't valid

@maektwain

@nucleardreamer The same issue in my mac 10.11.3 i solved using your commands only Thanks

@tonyvu2014

@sethcleveland's solution works for me on Windows.

@stephan-nordnes-eriksen

For me, a docker-machine restart NAME did the trick. NB. this will of course stop all your containers.

@komocode

This probably needs to be re-opened. I dumped docker for the time being because this was causing too many issues and ruining productivity.

@davidaparicio

For me, it was TripMode (to avoid huge traffic on my 3G metered connection) who blocked my docker-machine -_-

@SharkIng
SharkIng commented Aug 4, 2016

I know I can get rid of this message by restart/start the Docker machine. But, is that possible to disable this message while docker machine is not running?? I am not using Docker all the time but I need my terminal sometimes. Which when i stop my docker machine and open terminal/iterm. I'll get this message which is annoying.

@miguelmota

What worked for me was

docker-machine restart default

and then

eval "$(docker-machine env default)"
@tktorza
tktorza commented Nov 23, 2016

My solution is:
remove actual default machine, run: docker-machine rm default
create new machine: docker-machine create --driver virtualbox --virtualbox-hostonly-cidr "10.0.0.1/24" default
active this machine: eval "$(docker-machine env default)"
If you want to see how machine is actually activate: docker-machine active

@Gkiokan
Gkiokan commented Nov 29, 2016

I got the same problem, but I figured out, the boot2docker VM in Virtual Box wasn't started. So after starting it from the GUI in Virtual Box every Docker Command worked like a charm.

I think there is / was a problem with the VM autostart of Virtual Box.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment