Harbor仓库配置https访问

本文转载自查看原文 2021-08-10 09:31 106 harbor

注：高版本（14以上）docker执行login命令，默认使用https，且harbor必须使用域名，只是用ip访问是不行的。

假设使用的网址是：www.harbor.mobi，本机ip是192.168.75.100

因为这个网址是虚拟的，所以需要在本机hosts文件中添加

echo "192.168.75.100 www.harbor.mobi" >> /etc/hosts

把yourdomain.com换成实际使用的域名或者ip或者ip:port，要跟harbor.yml文件中的配置信息保持一致

#set hostname hostname: www.harbor.mobi #http: # port: 80 https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/cert/www.harbor.mobi.crt private_key: /data/cert/www.harbor.mobi.key # 注意证书路径

一键脚本文件：

#!/bin/bash # 在该目录下操作生成证书，正好供harbor.yml使用 mkdir -p /data/cert cd /data/cert openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt openssl genrsa -out www.harbor.mobi.key 4096 openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=www.harbor.mobi DNS.2=harbor DNS.3=ks-allinone EOF openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt update-ca-trust

# 把这三个复制到docke下 mkdir -p /etc/docker/certs.d/www.harbor.mobi/ cp www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/ cp www.harbor.mobi.key /etc/docker/certs.d/ywww.harbor.mobi/ cp ca.crt /etc/docker/certs.d/www.harbor.mobi/ 最终docker目录结构： /etc/docker/certs.d/ └── www.harbor.mobi ├── www.harbor.mobi.cert <-- Server certificate signed by CA ├── www.harbor.mobi.key <-- Server key signed by CA └── ca.crt <-- Certificate authority that signed the registry certificate # 重启docker systemctl restart docker.service # 停止 docker-compose down -v # 重新生成配置文件 ./prepare --with-notary --with-clair --with-chartmuseum # 启动 docker-compose up -d

官方步骤示例：

#set hostname hostname: yourdomain.com http: port: 80 https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/cert/yourdomain.com.crt private_key: /data/cert/yourdomain.com.key

# 生成使用的相关证书 openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ -key ca.key \ -out ca.crt openssl genrsa -out yourdomain.com.key 4096 openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ -key yourdomain.com.key \ -out yourdomain.com.csr cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=yourdomain.com DNS.2=yourdomain DNS.3=hostname EOF openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yourdomain.com.csr \ -out yourdomain.com.crt openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert # 把这三个复制到docke下 cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/ cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/ cp ca.crt /etc/docker/certs.d/yourdomain.com/ 最终docker目录结构： /etc/docker/certs.d/ └── yourdomain.com:port ├── yourdomain.com.cert <-- Server certificate signed by CA ├── yourdomain.com.key <-- Server key signed by CA └── ca.crt <-- Certificate authority that signed the registry certificate # 重启docker systemctl restart docker.service cp 192.168.75.100.crt /etc/pki/ca-trust/source/anchors/192.168.75.100.crt update-ca-trust # harbor证书配置 cp yourdomain.com.crt /data/cert/ cp yourdomain.com.key /data/cert/ # 重新生成配置文件 ./prepare --with-notary --with-clair --with-chartmuseum # 停止 docker-compose down -v # 启动 docker-compose up -d

问题：
使用docker login 命令登陆的话报错

docker login https://192.168.75.100

x509: cannot validate certificate for 192.168.75.100 because it doesn't contain any IP SANs 排查步骤： 检查harbor.yml文件中hostname变量的值是否跟生成证书使用的一致

免责声明！

本站转载的文章为个人学习借鉴使用，本站对版权不负任何法律责任。如果侵犯了您的隐私权益，请联系本站邮箱yoyou2525@163.com删除。

猜您在找 harbor镜像仓库-https访问配置 harbor配置https访问 harbor配置https访问 docker登录没有配置https的harbor镜像仓库配置http协议访问Harbor镜像仓库 Kubernetes配置Secret访问Harbor私有镜像仓库 Harbor配置https认证 harbor配置https和notary Docker之harbor镜像仓库配置与使用开源仓库Harbor搭建及配置过程