Credentials

Symptoms: You've configured a credential (SNMP or Docker Proxy) but it isn't being applied to hosts during discovery. The "Credential Mappings" summary at the end of a scan session shows 0 hosts for the credential type.

The daemon logs credential diagnostics at three points during a scan session. To access logs, see Checking Daemon Logs.

Credential summary at session start

At the beginning of each discovery session, the daemon logs a summary of all configured credentials:

INFO  Credentials:
INFO    For Docker proxy connection on 192.168.4.126
INFO      Port            2376
INFO      SSL cert        successfully read from /path/to/client-cert.pem
INFO      SSL key         successfully read from /path/to/client-key.pem
INFO      SSL chain       successfully read from /path/to/ca.pem
WARN    For Docker proxy connection on 192.168.4.127
INFO      Port            2376
ERROR     SSL cert        failed to read from /non-existent.pem
ERROR     SSL key         failed to read from /non-existent.pem
ERROR     SSL chain       failed to read from /non-existent.pem
INFO    For SNMP queries on all scanned hosts
INFO      Community       ******** (10 chars)
INFO      Version         V2c

What to look for:

• INFO on all fields — credential loaded successfully and will be tried during the scan
• ERROR on file fields — the daemon couldn't read a certificate or key file. The credential will not be used. Fix the file path or permissions and restart the daemon.
• WARN on the credential header — at least one field has an error. Check the indented lines below for details.

For SNMP credentials, the community string is redacted but the character count is shown — useful for confirming the right credential was picked up.

File read errors during the scan

When the daemon resolves credential file paths, it logs each read attempt. Errors appear as ERROR lines:

ERROR Failed to resolve Docker credential file paths
      error=Failed to read ssl_cert from /non-existent.pem: No such file or directory (os error 2)
      ip=192.168.4.127

ERROR Failed to resolve Docker credential file paths
      error=SSL Certificate must contain a CERTIFICATE PEM block, found: PRIVATE KEY
      ip=192.168.4.126

Common file errors:

Credential mappings at session end

At the end of each discovery session, the daemon logs how many hosts each credential type was successfully applied to:

INFO  Credential Mappings:
INFO    SNMP:               12 hosts
INFO    Docker:             2 hosts

If a credential type shows 0 hosts, the credential was loaded but never successfully used during the scan. This means either:

1. File/path errors prevented the credential from loading — check the session start summary and file read logs above
2. The credential was loaded but authentication failed on every target host — see below
3. The credential isn't assigned to any network or host — see Credential assignment

Credential loaded but not assigned to hosts

A credential can load from disk without errors but still show 0 hosts in the mapping summary. This happens when the actual authentication or connection attempt fails on the target device:

• SNMP: The community string was rejected by the device (wrong string, ACL blocking the daemon's IP, or SNMPv2c disabled)
• Docker Proxy: The TLS handshake failed (expired cert, CA mismatch), the proxy refused the connection, or the proxy is blocking required API endpoints

Diagnosis: Look for per-host errors in the scan logs between the session start and session end summaries. SNMP failures appear as timeout or authentication errors; Docker failures appear as connection or TLS errors.

Resolution:

• For SNMP, verify the community string works from the daemon host using snmpwalk — see Verify device responds to SNMPv2c
• For Docker Proxy, verify the proxy is reachable and the certificate is accepted — see Docker Proxy troubleshooting

Quick reference