1. The certificate generation
In a test or development environment, you can choose to use a self-signed certificate rather than a certificate from a trusted third-party CA's.
The following will show you how to create your own CA, and use your CA to sign server certificates and client certificates.
1.1 Certificate generation ca
[root@docker ~]# mkdir /docker
[root@docker ~]# cd /docker/
[root@docker docker]# ll
总用量 0
[root@docker docker]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
................................................................................................................++
......................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
### 这里CN填写你的https设置的域名,即你harbor配置文件中hostanme填写的内容
[root@docker docker]# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/CN=192.168.1.109" \
-key ca.key \
-out ca.crt
[root@docker docker]# ll
总用量 8
-rw-r--r-- 1 root root 1797 4月 18 11:16 ca.crt
-rw-r--r-- 1 root root 3247 4月 18 11:16 ca.key1.2 Getting Server Certificates
1) Create your own private key:
OpenSSL genrsa -out server.key 4096
2) generate a certificate signing request:
OpenSSL REQ -sha512 -new
-subj "/CN=192.168.1.109"
-key server.key
-out server.csr
[root@docker docker]# ll
总用量 16
-rw-r--r-- 1 root root 1797 4月 18 11:16 ca.crt
-rw-r--r-- 1 root root 3247 4月 18 11:16 ca.key
-rw-r--r-- 1 root root 1590 4月 18 11:22 server.csr
-rw-r--r-- 1 root root 3247 4月 18 11:21 server.key1.3 Certificate generation harbor warehouse hosts
Whether you are using a similar yourdomain.com FQDN or IP to connect to the host registry, run this command to generate a host certificate in line with the registry Subject Alternative Name (SAN) extension and x509 v3 requirements: v3.ext
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=192.168.1.109
EOF1.3.2 Certificate generation harbor warehouse hosts
[root@docker docker]# openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr \
-out server.crt
Signature ok
subject=/CN=192.168.1.109
Getting CA Private Key
此时证书创建成功
[root@docker docker]# ll
总用量 28
-rw-r--r-- 1 root root 1797 4月 18 11:16 ca.crt
-rw-r--r-- 1 root root 3247 4月 18 11:16 ca.key
-rw-r--r-- 1 root root 1834 4月 18 11:31 server.crt
-rw-r--r-- 1 root root 1590 4月 18 11:22 server.csr
-rw-r--r-- 1 root root 3247 4月 18 11:21 server.key
-rw-r--r-- 1 root root 233 4月 18 11:30 v3.ext
Installation and Configuration 2
1) Configure server certificate and key port
after obtaining server.crt and server.key files, you can copy them to the directory / data / cert /:
2) modify harbor configuration file
to edit the file harbor.cfg, update the host name and protocol, and updates the properties ssl_cert and ssl_cert_key:
hostname = yourdomain.com:port
ui_url_protocol = https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key3) Restart harbor
为Harbor生成配置文件:
./prepare
如果Harbor已在运行,请停止并删除现有实例。您的图像数据保留在文件系统中
docker-compose down -v
最后,重启harbor:
docker-compose up -d4) configured to authenticate the client harbor
all the necessary push or pull the mirror copy machine needs a certificate to the docker.
a. 创建存放域名证书的目录
[root@Arcgisdocker ~]# mkdir -p /etc/docker/certs.d/192.168.1.109
b. 移动证书到docker目录下
cp ca.crt /etc/docker/certs.d/192.168.1.109/ca.crt
c. 测试推送拉取
[root@DockerRegistry harbor]# docker tag busybox:latest 192.168.1.109/software/busybox:002 ##打上仓库地址标签
[root@DockerRegistry harbor]# docker push 192.168.1.109/software/busybox:002 ##推送测试,
The push refers to repository [192.168.1.109/software/busybox] ##这里已经推送过了,提示存在
0b97b1c81a32: Layer already exists
002: digest: sha256:f79f7a10302c402c052973e3fa42be0344ae6453245669783a9e16da3d56d5b4 size: 527
[root@DockerRegistry harbor]# docker rmi -f af2f74c517aa ##删除镜像
Untagged: 192.168.1.109/software/busybox:002
Untagged: 192.168.1.109/software/busybox@sha256:f79f7a10302c402c052973e3fa42be0344ae6453245669783a9e16da3d56d5b4
Untagged: busybox:latest
Untagged: busybox@sha256:954e1f01e80ce09d0887ff6ea10b13a812cb01932a0781d6b0cc23f743a874fd
Deleted: sha256:af2f74c517aac1d26793a6ed05ff45b299a037e1a9eefeae5eacda133e70a825
Deleted: sha256:0b97b1c81a3200e9eeb87f17a5d25a50791a16fa08fc41eb94ad15f26516ccea
[root@DockerRegistry harbor]# docker pull 192.168.1.109/software/busybox:002 ###拉取镜像测试
002: Pulling from software/busybox
fc1a6b909f82: Pull complete
Digest: sha256:f79f7a10302c402c052973e3fa42be0344ae6453245669783a9e16da3d56d5b4
Status: Downloaded newer image for 192.168.1.109/software/busybox:002Harbor after setting HTTPS, you can be verified by following these steps:
Open a browser and enter the address: HTTPS: //yourdomain.com . It should show the user interface Harbor.
Note that even if we deploy to the position and CA certificate signed by a self-signed CA, some browsers may still show for safety reasons related to the Certificate Authority (CA) unknown warning. This is because the self-signed third-party CA is essentially not a trusted CA. You can own the CA into the browser to resolve the warning
Examples of configuration:
The resulting centos 7 ca.crt file into the root directory client docker restart docker log image warehouse
[root@dev-gray cargo.caicloudprivatetest.com]# pwd /etc/docker/certs.d/cargo.caicloudprivatetest.com [root@dev-gray cargo.caicloudprivatetest.com]# ls ca.crt [root@dev-gray cargo.caicloudprivatetest.com]# docker login cargo.cai******tetest.com -u admin -p Pw****56 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded