Swarm manager cert with start date in the future: Failing with: Error response from daemon: error while validating Root CA Certificate: x509: certificate has expired or is not yet valid

[adriano-pinaffo]

• [x] This is a bug report
• [ ] This is a feature request
• [x] I searched existing issues before opening this one

Situation

I have 3 nodes that I want to play with managers and workers. My first one (Debian) I made it into a swarm manager:

root@debiancli:~# docker swarm init --advertise-addr 192.168.182.129
Swarm initialized: current node (mkg6ecl3x28uyyqx7gvzz0ja3) is now a manager.

To add a worker to this swarm, run the following command:

    docker swarm join --token SWMTKN-1-47h52q7mpdkhbi4dsqyjt7pnjqgvm4oxxfh87k6e2hoj8f4op0-2p1zkg309owyophvk95bw7rj0 192.168.182.129:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

On my second soon-to-be node (CentOS), I tried to join it to the cluster:

[root@centostraining ~]# docker swarm join --token SWMTKN-1-47h52q7mpdkhbi4dsqyjt7pnjqgvm4oxxfh87k6e2hoj8f4op0-2p1zkg309owyophvk95bw7rj0 192.168.182.129:2377
Error response from daemon: error while validating Root CA Certificate: x509: certificate has expired or is not yet valid

but it said, as shown above, that the certificate is not valid (date issue). I checked the date on my Debian and it is fine

root@debiancli:~# date
Tue Aug 14 22:02:29 EDT 2018

I also checked the date in my CentOS:

[root@centostraining ~]# date
Ter Ago 14 22:05:05 -03 2018

Now, I checked my swarm manager CA cert date:

root@debiancli:~# docker swarm ca | openssl x509 -noout -text | grep -E "Before|After" 
            Not Before: Aug 15 01:58:00 2018 GMT
            Not After : Aug 10 01:58:00 2038 GMT

So, weirdly enough, my certificate was generated to start the day after it was generated? Then on my future node (CentOS), if I change the date:

[root@centostraining ~]# date +%Y%m%d -s "20180816"
20180816
[root@centostraining ~]# date
Qui Ago 16 00:00:01 -03 2018
[root@centostraining ~]# docker swarm join --token SWMTKN-1-47h52q7mpdkhbi4dsqyjt7pnjqgvm4oxxfh87k6e2hoj8f4op0-2p1zkg309owyophvk95bw7rj0 192.168.182.129:2377
This node joined a swarm as a worker. 

Voilá, it now works as expected. Can anyone explain why my swarm ca cert is "in the future"?

Output of docker version:

# docker version
Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:09:33 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa825
  Built:            Wed Jul 18 19:07:38 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

root@debiancli:~# docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 18.06.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
 NodeID: mkg6ecl3x28uyyqx7gvzz0ja3
 Is Manager: true
 ClusterID: 8s9yo753hj3ifqute61ft5p14
 Managers: 1
 Nodes: 1
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 10
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  Force Rotate: 0
 Autolock Managers: false
 Root Rotation In Progress: false
 Node Address: 192.168.182.129
 Manager Addresses:
  192.168.182.129:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.0-3-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 474.1MiB
Name: debiancli
ID: 5OHR:7H4D:EOVR:SR67:DRCO:WW42:G5OM:DLK4:DOSR:BX6G:RMS6:JLKT
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.)

[thaJeztah]

Wondering if the timezone is the issue here; the certificate shows GMT, but your shell shows EDT, which would be a 5 hour difference

@justincormack any ideas?