目录
- 1.生成证书颁发机构证书及私钥
- 2.生成服务器私钥及证书签名请求(CSR)
- 3.生成证书签名请求
- 4.生成 x509 v3 扩展文件。
- 5.使用该v3.ext文件为 Harbor 服务器生成证书。
- 6.将 test.harbor.com.crt 转换为 test.harbor.com.cert , 供 Docker 使用。Docker 守护进程将.crt文件解释为 CA 证书,.cert将文件解释为客户端证书。
- 7.在harbor.yml配置路径即可
harbor部署
harbor部署 https docker 登录
配置harbor证书
当前目录:/etc/harbor/ssl/
1.生成证书颁发机构证书及私钥
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=test.harbor.com" -key ca.key -out ca.crt
2.生成服务器私钥及证书签名请求(CSR)
openssl genrsa -out test.harbor.com.key 4096
3.生成证书签名请求
openssl req -sha512 -new -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=test.harbor.com" -key test.harbor.com.key -out test.harbor.com.csr
4.生成 x509 v3 扩展文件。
cat>>v3.ext<<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=test.harbor.com
DNS.3=harbor
EOF
5.使用该v3.ext文件为 Harbor 服务器生成证书。
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in test.harbor.com.csr -out test.harbor.com.crt
6.将 test.harbor.com.crt 转换为 test.harbor.com.cert , 供 Docker 使用。Docker 守护进程将.crt文件解释为 CA 证书,.cert将文件解释为客户端证书。
openssl x509 -inform PEM -in test.harbor.com.crt -out test.harbor.com.cert
7.在harbor.yml配置路径即可
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /etc/harbor/ssl/test.harbor.com.crt
private_key: /etc/harbor/ssl/test.harbor.com.key
配置docker支持harbor证书
harbor有使用https证书时,docker登录报错如下
[root@rocky-linux ~]# docker login test.harbor.com -uadmin -pHarbor@Test
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://test.harbor.com/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
解决办法:
方法1:
在 Docker 客户端机器上创建证书目录
mkdir -p /etc/docker/certs.d/test.harbor.com/
复制自签名证书到 Docker 目录
sudo cp /etc/harbor/ssl/test.harbor.com.crt /etc/docker/certs.d/test.harbor.com/ca.crt
重启 Docker 服务
sudo systemctl restart docker
登录 Harbor
[root@rocky-linux harbor]# docker login test.harbor.com -uadmin -pHarbor@Test
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
方法2:
编辑 Docker 配置文件
sudo nano /etc/docker/daemon.json
添加不安全的 Harbor 注册表地址
{
"insecure-registries": ["test.harbor.com"]
}
重启 Docker 服务
sudo systemctl restart docker
登录 Harbor
docker login your.harbor.domain