在生产环境中,应该从CA获得证书。在测试或开发环境中,可以生成自己的CA。要生成CA证书,请运行以下命令。

停止Harbor

首先将Harbor停止,并删除掉原有的一些数据,以恢复到一个干净的环境

docker compose -f docker-compose.yml down -v

rm -rf /data/ca_download /data/database /data/job_logs /data/redis /data/registry /data/secret
rm -rf /var/log/harbor*

证书生成

根证书

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=company/OU=IT/CN=test/emailAddress=1@test.com"

生成ca.crt和ca.key

证书签名

openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key -out harbor-registry.csr -days 3650 -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=company/OU=IT/CN=192.168.1.93/emailAddress=1@test.com"

registry产生证书

echo subjectAltName = IP:192.168.1.93 > extfile.cnf

openssl x509 -req -days 3650 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt

ls 
ca.crt ca.key ca.srl extfile.cnf harbor-registry.crt harbor-registry.csr harbor-registry.key

修改配置

修改harbor.yml

https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /you/path/harbor-registry.crt
  private_key: /you/path/harbor-registry.key
  # enable strong ssl ciphers (default: false)
  # strong_ssl_ciphers: false

重新生成配置文件

./prepare

重启Harbor

docker compose -f docker-compose.yml up -d

Creating harbor-log ... done
Creating harbor-db ... done
Creating registryctl ... done
Creating registry ... done
Creating harbor-portal ... done
Creating redis ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done

通过https访问

将上面产生的ca.crt导入到浏览器的受信任的根证书中。然后就可以通过https进行访问

0
本文为原创文章,转载请注明出处,欢迎访问作者网站(和而不同)

发表评论

error: Content is protected !!