harbor:Windows仓库证书

搭建好了 harbor 以后,就在想能不能在 windows 电脑上访问,从 harbor 拉取 windows 镜像到 windows 节点上。

遇到的问题

X509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0)

Docker版本参看:https://www.cnblogs.com/Principles/p/CloudComputing_005.html

一、生成开启扩展SAN的证书

1. 什么是 SAN

SAN(Subject Alternative Name) 是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书,可以扩展此证书支持的域名,使得一个证书可以支持多个不同域名的解析。

2.如何生成含有SAN的证书

2.1. 生成CA根证书

2.1.1 准备ca配置文件,得到ca.conf

vim ca.conf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = Ted CA Test

2.1.2 生成ca秘钥,得到ca.key

openssl genrsa -out ca.key 4096

2.1.3 生成ca证书签发请求,得到ca.csr

openssl req \
-new \
-sha256 \
-out ca.csr \
-key ca.key \
-config ca.conf

2.1.4 生成ca根证书,得到ca.crt

openssl x509 \
  -req \
  -days 3650 \
  -in ca.csr \
  -signkey ca.key \
  -out ca.crt

2.2 准备配置文件,得到server.conf

vim server.conf

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = hub.ruan.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = hub.ruan.com
IP      = 192.168.174.139

2.2.2 生成秘钥,得到server.key

openssl genrsa -out hub.ruan.com.key 2048

2.2.3 生成证书签发请求,得到server.csr

openssl req \
-new \
-sha256 \
-out server.csr \
-key hub.ruan.com.key \
-config server.conf

配置文件中已经有默认值了,shell交互时一路回车就行

2.2.4 用CA证书生成终端用户证书,得到server.crt

openssl x509 \
-req \
-days 3650 \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in server.csr \
-out hub.ruan.com.pem\
-extensions req_ext \
-extfile server.conf

现在证书已经生成完毕,hub.ruan.com.pem 和 hub.ruan.com.key是我们需要的证书和密钥

二、转换证书

openssl x509 -inform PEM -in hub.ruan.com.pem -out hub.ruan.com.crt
openssl x509 -inform PEM -in hub.ruan.com.crt -out hub.ruan.com.cert

三、修改harbor.yml

修改对应的证书地址:
hub.ruan.com.cert 的地址
hub.ruan.com.key 的地址

四、在windows电脑上使用证书

4.1 复制证书

将证书复制到C:\ProgramData\docker\certs.d\hub.ruan.com目录下

4.2 添加host

192.168.174.139 hub.ruan.com

4.3 添加信任列表

C:\Program Files\Docker\metadata.json中添加

"insecure-registries": ["http://hub.ruan.com"]

五、登录

docker login hub.ruan.com
posted @ 2022-09-28 22:29  E·r  阅读(385)  评论(0编辑  收藏  举报