harbor镜像仓库-配置https证书访问
生成CA证书
创建key文件:
[root@VM_0_8_centos certs]#pwd
/data/certs
[root@VM_0_8_centos certs]#openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
............++
.........................++
e is 65537 (0x10001)生成证书:
[root@VM_0_8_centos certs]#openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=harbor.wangxiaofeng.site" -key ca.key -out ca.crt
[root@VM_0_8_centos certs]# ll
total 16
-rw-r--r-- 1 root root 1830 May 31 15:50 ca.crt
-rw-r--r-- 1 root root 3243 May 31 15:49 ca.key
生成服务器证书
创建私钥
[root@VM_0_8_centos certs]#openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
........................................................................................................................................................++
.............................................................................++
e is 65537 (0x10001)生成证书签名请求
[root@VM_0_8_centos certs]#openssl req -new -sha512 -subj "/CN=harbor.wangxiaofeng.site" -key server.key -out server.csr
[root@VM_0_8_centos certs]# ll
total 28
-rw-r--r-- 1 root root 1830 May 31 15:50 ca.crt
-rw-r--r-- 1 root root 3243 May 31 15:49 ca.key
-rw-r--r-- 1 root root 1606 May 31 15:51 server.csr
-rw-r--r-- 1 root root 3243 May 31 15:50 server.key
生成harbor仓库主机的证书
[root@VM_0_8_centos certs]# vim v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.wangxiaofeng.site
生成harbor仓库主机的证书
[root@VM_0_8_centos certs]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.
Signature ok
subject=/CN=harbor.wangxiaofeng.site
Getting CA Private Key
[root@VM_0_8_centos certs]# ll
total 28
-rw-r--r-- 1 root root 1830 May 31 15:50 ca.crt
-rw-r--r-- 1 root root 3243 May 31 15:49 ca.key
-rw-r--r-- 1 root root 17 May 31 16:17 ca.srl
-rw-r--r-- 1 root root 1879 May 31 16:17 server.crt
-rw-r--r-- 1 root root 1606 May 31 15:51 server.csr
-rw-r--r-- 1 root root 3243 May 31 15:50 server.key
-rw-r--r-- 1 root root 243 May 31 16:16 v3.ext
所需证书文件生成完毕
配置和安装证书
修改harbor的配置文件,修改后需重启harbor。
[root@VM_0_8_centos certs]#vim ~/harbor/harbor.yml
hostname: harbor.wangxiaofeng.site
https:
port: 443
certificate: /data/certs/server.crt
private_key: /data/certs/server.key为docker配置harbor认证
将server证书cp到docker所在的机器固定目录中
[root@VM_0_8_centos harbor]#mkdir -p /etc/docker/certs.d/harbor.wangxiaofeng.site
[root@VM_0_8_centos harbor]#cp /data/certs/
server.crt /etc/docker/certs.d/harbor.wangxiaofeng.site/server.crt然后docker直接login即可
[root@VM_0_8_centos harbor]#docker login harbor.wangxiaofeng.site
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded这里是本机登录,即harbor和docker在同一台机器上。如果docker在其他机器上,只需复制crt文件到指定机器上即可。
done~
