配置harbor服务器的https
一、配置CA证书
(1)创建工作目录
[root@docker ~]# mkdir -pv /project1/harbor/certs/{ca,harbor-server,docker-client}
(2)进入到harbor证书存放目录
[root@docker ~]# cd /project1/harbor/certs/
[root@docker certs]# ll
total 0
drwxr-xr-x 2 root root 6 Feb 27 09:06 ca
drwxr-xr-x 2 root root 6 Feb 27 09:06 docker-client
drwxr-xr-x 2 root root 6 Feb 27 09:06 harbor-server
(3)生成自建CA证书
3.1 创建CA的私钥
[root@docker certs]# openssl genrsa -out ca/ca.key 4096
3.2 基于自建的CA私钥创建CA证书(注意,证书签发的域名范围)
[root@docker certs]# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=xiaosun.com" \
-key ca/ca.key \
-out ca/ca.crt
3.3 查看自建证书信息
[root@docker certs]# openssl x509 -in ca/ca.crt -noout -text
二、配置harbor证书
(1)生成harbor服务器的私钥
[root@docker certs]# openssl genrsa -out harbor-server/harbor.xiaosun.com.key 4096
(2)harbor服务器基于私钥签发证书认证请求(csr文件),让自建CA认证
[root@docker certs]# openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.xiaosun.com" \
-key harbor-server/harbor.xiaosun.com.key \
-out harbor-server/harbor.xiaosun.com.csr
(3)生成 x509 v3 的扩展文件用于认证
cat > harbor-server/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.xiaosun.com
DNS.2=xiaosun.com
EOF
(4)基于 x509 v3 的扩展文件认证签发harbor server证书
[root@docker certs]# openssl x509 -req -sha512 -days 3650 \
-extfile harbor-server/v3.ext \
-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
-in harbor-server/harbor.xiaosun.com.csr \
-out harbor-server/harbor.xiaosun.com.crt
(5)修改harbor的配置文件使用自建证书
[root@docker certs]# pwd
/project1/harbor/certs
[root@docker certs]#
[root@docker certs]# cd ..
[root@docker harbor]#
[root@docker harbor]# vim harbor.yml
...
hostname: harbor.xiaosun.com
https:
...
certificate: /project1/harbor/certs/harbor-server/harbor.xiaosun.com.crt
private_key: /project1/harbor/certs/harbor-server/harbor.xiaosun.com.key
...
[root@docker harbor]#
[root@docker harbor]# ./prepare
[root@docker harbor]#
[root@docker harbor]# docker-compose down -t 1
[root@docker harbor]#
[root@docker harbor]# docker-compose up -d
这里一定要执行 ./prepare 否则后面连接不上
三、配置docker客户端证书
(1)生成docker客户端证书
[root@docker certs]# openssl x509 -inform PEM -in harbor-server/harbor.xiaosun.com.crt -out docker-client/harbor.xiaosun.com.cert
[root@docker certs]# pwd
/project1/harbor/certs
[root@docker certs]#
[root@docker certs]# md5sum docker-client/harbor.xiaosun.com.cert harbor-server/harbor.xiaosun.com.crt
f3d34a5c5d88a5fcacd8435ca9f4d944 docker-client/harbor.xiaosun.com.cert
f3d34a5c5d88a5fcacd8435ca9f4d944 harbor-server/harbor.xiaosun.com.crt
(2)拷贝docker client证书文件
[root@docker certs]# cp harbor-server/harbor.xiaosun.com.key docker-client/
[root@docker certs]#
[root@docker certs]# cp ca/ca.crt docker-client/
[root@docker certs]#
[root@docker certs]# ll -R
.:
total 0
drwxr-xr-x 2 root root 48 Feb 27 09:20 ca
drwxr-xr-x 2 root root 85 Feb 27 09:33 docker-client
drwxr-xr-x 2 root root 116 Feb 27 09:20 harbor-server
./ca:
total 12
-rw-r--r-- 1 root root 2033 Feb 27 09:11 ca.crt
-rw-r--r-- 1 root root 3243 Feb 27 09:09 ca.key
-rw-r--r-- 1 root root 17 Feb 27 09:20 ca.srl
./docker-client:
total 12
-rw-r--r-- 1 root root 2033 Feb 27 09:33 ca.crt
-rw-r--r-- 1 root root 2086 Feb 27 09:30 harbor.xiaosun.com.cert
-rw-r--r-- 1 root root 3243 Feb 27 09:33 harbor.xiaosun.com.key
./harbor-server:
total 16
-rw-r--r-- 1 root root 2086 Feb 27 09:20 harbor.xiaosun.com.crt
-rw-r--r-- 1 root root 1716 Feb 27 09:15 harbor.xiaosun.com.csr
-rw-r--r-- 1 root root 3243 Feb 27 09:13 harbor.xiaosun.com.key
-rw-r--r-- 1 root root 239 Feb 27 09:19 v3.ext
[root@docker certs]#
四、docker客户端使用证书
(1)docker客户端创建自建证书的目录结构(注意域名的名称和目录要一致哟~)
[root@docker ~]# mkdir -pv /etc/docker/certs.d/harbor.xiaosun.com/
(2)将客户端证书文件进行拷贝
[root@docker harbor]# scp certs/docker-client/* 10.0.0.104:/etc/docker/certs.d/harbor.xiaosun.com/
root@10.0.0.104's password:
ca.crt 100% 2033 1.3MB/s 00:00
harbor.xiaosun.com.cert 100% 2086 2.5MB/s 00:00
harbor.xiaosun.com.key 100% 3243 3.4MB/s 00:00
[root@docker harbor]#
(3)docker客户端验证
[root@docker ~]# echo 10.0.0.101 harbor.xiaosun.com >> /etc/hosts
[root@docker ~]#
[root@docker ~]# docker pull harbor.xiaosun.com/oldboyedu-linux/yinzhengjie-games:v1.0
v1.0: Pulling from oldboyedu-linux/yinzhengjie-games
Digest: sha256:c3cc27ec756237c4c7c894ea452cf14f92a33b75e692927c0497f008e6510a43
Status: Downloaded newer image for harbor.xiaosun.com/oldboyedu-linux/yinzhengjie-games:v1.0
harbor.xiaosun.com/oldboyedu-linux/yinzhengjie-games:v1.0
[root@docker ~]#
[root@docker ~]#
[root@docker ~]#
[root@docker ~]# docker login -u admin -p 1 harbor.xiaosun.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker ~]#
报错提示:
[root@docker ~]# docker login -u admin -p 1 harbor.xiaosun.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://harbor.xiaosun.com/v2/": x509: certificate is valid for harbor.xiaosun.com, not harbor.xiaosun.com
问题分析:
没有拷贝自建证书信息到docker 客户端指定目录。
解决方案:
1. 创建证书存放目录
[root@docker ~]# mkdir -pv /etc/docker/certs.d/harbor.xiaosun.com/
mkdir: created directory ‘/etc/docker/certs.d’
mkdir: created directory ‘/etc/docker/certs.d/harbor.xiaosun.com/’
[root@docker ~]#
2.将服务端证书拷贝过来
[root@docker ~]# scp 10.0.0.101:/project1/harbor/certs/docker-client/* /etc/docker/certs.d/harbor.xiaosun.com/
root@10.0.0.101's password:
ca.crt 100% 2033 2.2MB/s 00:00
harbor.xiaosun.com.cert 100% 2086 1.5MB/s 00:00
harbor.xiaosun.com.key 100% 3243 2.9MB/s 00:00
[root@docker ~]#
[root@docker ~]#
[root@docker ~]# ll /etc/docker/certs.d/harbor.xiaosun.com/
total 12
-rw-r--r-- 1 root root 2033 Feb 27 09:42 ca.crt
-rw-r--r-- 1 root root 2086 Feb 27 09:42 harbor.xiaosun.com.cert
-rw-r--r-- 1 root root 3243 Feb 27 09:42 harbor.xiaosun.com.key
[root@docker ~]#
[root@docker ~]# docker login -u admin -p 1 harbor.xiaosun.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded