Kublr-in-a-Box Installer (Kublr Box) is a slimmed down version of Kublr Control Plane packaged into a single Docker container image and running as a single container.

As it runs on a client machine, often a laptop, it can sometime run into the client environment issues.

This document describes some of the known issues and general troubleshooting procedures.

Known issues

Docker for Mac 3.3.0 and 3.3.1

Docker for Mac 3.3.0 and 3.3.1 has a known issue that prevents container applications connecting to HTTPS endpoints with self-signed certificates with "NSS error -5938".

The issue is tracked at

As a result Kublr Box cannot connect to a newly created cluster API endpoint and never finishes creating a cluster. Cluster will stay in an error state indicating that Kubernetes API is not available.

How to identify:

Connection to the cluster API endpoint works from the host but fails from the Docker container.

# works

# works
curl -k https://<kubernetes-API-address>

# works
docker exec kublr curl

docker exec kublr curl -k -v https://<kubernetes-API-address>

* About to connect() to x.x.x.x port 443 (#0)
*   Trying x.x.x.x...
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file

How to fix:

Upgrade or roll back Docker for Mac version to the one that does not have this issue.