碼上快樂

相關內容    簡體    繁體

Harbor倉庫配置https訪問

本文轉載自   查看原文   2019-11-29 10:52   1769    Docker/ Harbor

注:高版本(14以上)docker執行login命令,默認使用https,且harbor必須使用域名,只是用ip訪問是不行的。

假設使用的網址是:www.harbor.mobi,本機ip是192.168.75.100

因為這個網址是虛擬的,所以需要在本機hosts文件中添加

echo "192.168.75.100  www.harbor.mobi" >> /etc/hosts

把yourdomain.com換成實際使用的域名或者ip或者ip:port,要跟harbor.yml文件中的配置信息保持一致

#set hostname
hostname: www.harbor.mobi

#http:
#  port: 80

https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/www.harbor.mobi.crt
  private_key: /data/cert/www.harbor.mobi.key
# 注意證書路徑

一鍵腳本文件:

#!/bin/bash

# 在該目錄下操作生成證書,正好供harbor.yml使用
mkdir -p /data/cert
cd /data/cert

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt
    
openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert

cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt 
update-ca-trust

# 把這三個復制到docke下
mkdir -p /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.key /etc/docker/certs.d/ywww.harbor.mobi/
cp ca.crt /etc/docker/certs.d/www.harbor.mobi/


最終docker目錄結構:
/etc/docker/certs.d/
    └── www.harbor.mobi
       ├── www.harbor.mobi.cert  <-- Server certificate signed by CA
       ├── www.harbor.mobi.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate
# 重啟docker
systemctl restart docker.service

# 停止
docker-compose down -v

# 重新生成配置文件
./prepare --with-notary --with-clair --with-chartmuseum

# 啟動
docker-compose up -d

官方步驟示例:

#set hostname
hostname: yourdomain.com

http:
  port: 80

https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/yourdomain.com.crt
  private_key: /data/cert/yourdomain.com.key

# 生成使用的相關證書
openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key ca.key \
    -out ca.crt

openssl genrsa -out yourdomain.com.key 4096

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key yourdomain.com.key \
    -out yourdomain.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in yourdomain.com.csr \
    -out yourdomain.com.crt

openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert

# 把這三個復制到docke下
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/


最終docker目錄結構:
/etc/docker/certs.d/
    └── yourdomain.com:port
       ├── yourdomain.com.cert  <-- Server certificate signed by CA
       ├── yourdomain.com.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate
# 重啟docker
systemctl restart docker.service

cp 192.168.75.100.crt /etc/pki/ca-trust/source/anchors/192.168.75.100.crt 
update-ca-trust

# harbor證書配置
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/

# 重新生成配置文件
./prepare --with-notary --with-clair --with-chartmuseum

# 停止
docker-compose down -v

# 啟動
docker-compose up -d

問題:
使用docker login 命令登陸的話報錯

docker login https://192.168.75.100

x509: cannot validate certificate for 192.168.75.100 because it doesn't contain any IP SANs

排查步驟:
檢查harbor.yml文件中hostname變量的值是否跟生成證書使用的一致


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Harbor倉庫配置https訪問 harbor鏡像倉庫-https訪問配置 harbor配置https訪問 harbor配置https訪問 配置對Harbor的HTTPS訪問 harbor鏡像倉庫-02-https訪問配置 harbor docker 倉庫 https配置 Docker以https訪問Harbor私有倉庫(二) docker登錄沒有配置https的harbor鏡像倉庫 配置http協議訪問Harbor鏡像倉庫
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM