应原来小伙伴的要求，生产环境出错了，是harbor的ssl cert过期了，也因为使用的是免费的ssl证书，现在无法正常使用harbor，所以贴来了2023年1月曾经搭建的文档，希望能解决问题。^v^.

以下是历史正文记录：

最近发现其中一个域名的证书到期了，无赖，现在行情不好，所以没准备续费购买商用版的证书，自己搭建把。好几个ssl证书都颁发使用（如下域名服务），域名为阿里购买的，所以原来的证书也是阿里的。

写个docs，就是update harbor的ssh crt把。

0、登录：https://harbortest.ihlt.com即出现以下界面，配置了ssl证书想通过IP也访问不了！

登录aliyun申请免费的证书把，需要购买证书服务，用了公司的企业账号，一次性可以免费申请20个，但是并非是根证书哦。截图记录把。

这里我看了harbor原来的证书格式为crt，密钥为key

所以我下载了对应的nginx的

应该harbor的证书也是通过nginx来写的

harbor@uat-harbor01:~$ sudo -i

[sudo] password for harbor:

root@uat-harbor01:~# cd /root/harbor/

root@uat-harbor01:~/harbor# ls

common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare

root@uat-harbor01:~/harbor# ls

common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare

root@uat-harbor01:~/harbor# cd /data/cert/

root@uat-harbor01:/data/cert# ls

harbortest.ihlt.com.crt harbortest.ihlt.com.key

root@uat-harbor01:/data/cert#

root@uat-harbor01:~/harbor# cat harbor.yml

Configuration file of Harbor

The IP address or hostname to access admin UI and registry service.

DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

hostname: harbortest.ihlt.com

http:

port for http, default is 80. If https enabled, this port will redirect to https port

port: 80

https:

https port for harbor, default is 443

port: 443

The path of cert and key files for nginx

certificate: /data/cert/harbortest.ihlt.com.crt

private_key: /data/cert/harbortest.ihlt.com.key

依次操作如下图，

2、更新证书：

把下载的证书拷贝到对应的目录

通过finnalshell的sftp来直接拉传

root@uat-harbor01:/data/cert# ls

harbortest.ihlt.com.crt harbortest.ihlt.com.key

root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.crt harbortest.ihlt.com.crt0

root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.key harbortest.ihlt.com.key0

root@uat-harbor01:/data/cert# mv /tmp/harbortest.ihlt.com.* ./

root@uat-harbor01:/data/cert# ls

harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem

root@uat-harbor01:/data/cert# ls -al

total 24

drwxr-xr-x 2 root root 4096 Sep 1 09:19 .

drwxr-xr-x 4 root root 4096 Oct 11 2022 ..

-rw-r--r-- 1 harbor harbor 3805 Oct 11 2022 harbortest.ihlt.com.crt0

-rw-rw-r-- 1 harbor harbor 1675 Sep 1 09:13 harbortest.ihlt.com.key

-rw-r--r-- 1 harbor harbor 1675 Oct 11 2022 harbortest.ihlt.com.key0

-rw-rw-r-- 1 harbor harbor 3813 Sep 1 09:13 harbortest.ihlt.com.pem

root@uat-harbor01:/data/cert#

3、重启harbor

停止docker-compose down

重新执行./prepare

启动docker-compose up -d

root@uat-harbor01:~/harbor# ./prepare

prepare base dir is set to /root/harbor

Clearing the configuration file: /config/portal/nginx.conf

Clearing the configuration file: /config/log/rsyslog_docker.conf

Clearing the configuration file: /config/log/logrotate.conf

Generated configuration file: /config/portal/nginx.conf

Generated configuration file: /config/log/logrotate.conf

Generated configuration file: /config/log/rsyslog_docker.conf

Traceback (most recent call last):

File "/usr/src/app/main.py", line 15, in <module>

cli()

File "/usr/lib/python3.10/site-packages/click/core.py", line 1137, in call

return self.main(*args, **kwargs)

File "/usr/lib/python3.10/site-packages/click/core.py", line 1062, in main

rv = self.invoke(ctx)

File "/usr/lib/python3.10/site-packages/click/core.py", line 1668, in invoke

return _process_result(sub_ctx.command.invoke(sub_ctx))

File "/usr/lib/python3.10/site-packages/click/core.py", line 1404, in invoke

return ctx.invoke(self.callback, **ctx.params)

File "/usr/lib/python3.10/site-packages/click/core.py", line 763, in invoke

return __callback(*args, **kwargs)

File "/usr/src/app/commands/prepare.py", line 47, in prepare

prepare_nginx(config_dict)

File "/usr/src/app/utils/nginx.py", line 23, in prepare_nginx

render_nginx_template(config_dict)

File "/usr/src/app/utils/nginx.py", line 56, in render_nginx_template

prepare_nginx_certs(config_dict['cert_key_path'], config_dict['cert_path'])

File "/usr/src/app/utils/nginx.py", line 43, in prepare_nginx_certs

shutil.copy2(host_ngx_cert_path, real_crt_path)

File "/usr/lib/python3.10/shutil.py", line 434, in copy2

copyfile(src, dst, follow_symlinks=follow_symlinks)

File "/usr/lib/python3.10/shutil.py", line 254, in copyfile

with open(src, 'rb') as fsrc:

FileNotFoundError: [Errno 2] No such file or directory: '/hostfs/data/cert/harbortest.ihlt.com.crt'

//马虎，提示没有这个文件，所以去看了下，忘记了上面的harbor.yml的crt而不是拷贝进来的pem，所以进入目录可以直接修改即可。

root@uat-harbor01:~/harbor# cd /data/cert/

root@uat-harbor01:/data/cert# ls

harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem

root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.pem harbortest.ihlt.com.crt

root@uat-harbor01:~/harbor# ./prepare

prepare base dir is set to /root/harbor

Clearing the configuration file: /config/portal/nginx.conf

Clearing the configuration file: /config/log/rsyslog_docker.conf

Clearing the configuration file: /config/log/logrotate.conf

Generated configuration file: /config/portal/nginx.conf

Generated configuration file: /config/log/logrotate.conf

Generated configuration file: /config/log/rsyslog_docker.conf

Generated configuration file: /config/nginx/nginx.conf

Generated configuration file: /config/core/env

Generated configuration file: /config/core/app.conf

Generated configuration file: /config/registry/config.yml

Generated configuration file: /config/registryctl/env

Generated configuration file: /config/registryctl/config.yml

Generated configuration file: /config/db/env

Generated configuration file: /config/jobservice/env

Generated configuration file: /config/jobservice/config.yml

loaded secret from file: /data/secret/keys/secretkey

Generated configuration file: /compose_location/docker-compose.yml

Clean up the input dir

root@uat-harbor01:~/harbor# docker-compose up -d

[+] Running 10/10

⠿ Network harbor_harbor Created 0.2s

⠿ Container harbor-log Started 0.8s

⠿ Container registryctl Started 1.4s

⠿ Container harbor-portal Started 1.7s

⠿ Container redis Started 1.8s

⠿ Container registry Started 1.7s

⠿ Container harbor-db Started 1.3s

⠿ Container harbor-core Started 1.9s

⠿ Container nginx Started 2.3s

⠿ Container harbor-jobservice Started 2.2s

root@uat-harbor01:~/harbor#

再次访问：恢复正常了！

nginx更新证书-2023/10/19

公司的holitech.net的证书过期了，阿里云上购买了根证书。首先上传服务，然后替换对应的路径，可以查看nginx.conf的配置：路径，然后必须重启nginx服务。后端测试OK。。。。！

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [root@k8s-ng2 paas]# scp holitech.net.* root@10.6.200.223:/root/ ssh: connect to host 10.6.200.223 port 22: Connection refused lost connection [root@k8s-ng2 paas]# scp holitech.net.* root@10.0.200.223:/data/cert root@10.0.200.223's password: holitech.net.key 100% 1679 18.3KB/s 00:00 holitech.net.pem 100% 3822 987.3KB/s 00:00 [root@k8s-ng1 data]# cd cert/ [root@k8s-ng1 cert]# ls 8631154__holitech.net.key holitech.net.key 8631154__holitech.net.pem holitech.net.pem [root@k8s-ng1 cert]# mv holitech.net.key 8631154__holitech.net.key mv：是否覆盖"8631154__holitech.net.key"？ y [root@k8s-ng1 cert]# mv holitech.net.pem 8631154__holitech.net.pem mv：是否覆盖"8631154__holitech.net.pem"？ y [root@k8s-ng1 cert]# whereis ngix ngix:[root@k8s-ng1 cert]# whereis nginx nginx: /usr/local/nginx [root@k8s-ng1 cert]# cd /usr/local/nginx/ [root@k8s-ng1 nginx]# ls client_body_temp fastcgi_temp logs sbin uwsgi_temp conf html proxy_temp scgi_temp [root@k8s-ng1 nginx]# cd sbin/ [root@k8s-ng1 sbin]# ls nginx [root@k8s-ng1 sbin]# ./nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@k8s-ng1 sbin]# systemctl restart nginx [root@k8s-ng2 paas]# systemctl restart nginx |

crt证书信息：

Harbor.ihlt.com_chain的证书

详细信息如下：

版本：V3

序列号：0de0ffb5ee62cb61109f608c9ced5ed3

签名算法： sha256RSA

签名哈希算法： sha256

颁发者：

CN = DigiCert Global Root G2

OU = www.digicert.com

O = DigiCert Inc

C = US

有效期从： Monday, ‎November ‎27, ‎2017 8:46:40 PM

到： ‎Saturday, ‎November ‎27, ‎2027 8:46:40 PM

使用者：

CN = Encryption Everywhere DV TLS CA - G2

OU = www.digicert.com

O = DigiCert Inc

C = US

公钥：

30 82 01 0a 02 82 01 01 00 ef 14 7f 8e a2 fe 7a fb a6 48 13 0e a9 c4 79 22 1f 08 5a af 3e 75 2a dd a1 75 b4 c2 79 86 1f 4c 9c ee 8b 9a de 54 74 77 c1 1b 00 bd 4a 2f 97 8c ad 76 72 36 60 c4 e6 ec 2f a4 60 d6 78 ef 36 10 0c 27 82 6e 9c dd 09 18 64 49 19 27 af 6c 9b 00 de c7 3a f2 76 cf 43 3b 8a a7 92 5c f2 fa 6b ca 9d a6 b6 cd fc a5 20 97 a2 b3 d1 fa c7 21 42 2b 0a 03 b3 92 43 53 23 70 53 74 77 bb 5b ad c7 96 14 d6 f3 80 bd 9c b0 95 50 7a 88 0e 04 64 9e fc a6 44 21 9c 3a 81 72 ca 78 57 bb 9a ea 67 35 82 51 3a 2d a2 0b 5d 7e 1e e1 7b f6 20 2d b4 c7 37 d8 2b fa 50 ec 62 c5 8f f7 65 5f 8b ce 92 e7 92 51 6a f7 c5 ce 46 0c 24 20 92 f5 1e eb cf 85 af 32 bd bf 96 e8 98 ac 95 92 4b f8 72 c5 b6 27 68 c6 62 3b 42 6d d9 c8 85 7a e9 6e 77 dc 3b 06 16 29 85 26 4c f7 cb 41 9e 1d 6b 92 54 c6 c8 95 fb 02 03 01 00 01

公钥参数： 05 00

使用者密钥标识符：78df91905feedeacf6c575ebd54c5553ef244ab6

授权密钥标识符： KeyID=4e2254201895e6e36ee60ffafab912ed06178f39

增强型密钥用法：

服务器身份验证 (1.3.6.1.5.5.7.3.1)

客户端身份验证 (1.3.6.1.5.5.7.3.2)

授权信息访问：

[1]Authority Info Access

Access Method=联机证书状态协议 (1.3.6.1.5.5.7.48.1)

Alternative Name:

URL=http://ocsp.digicert.com

CRL分发点：

[1]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=http://crl3.digicert.com/DigiCertGlobalRootG2.crl

证书策略：

[1]Certificate Policy:

Policy Identifier=2.16.840.1.114412.1.2

[1,1]Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier:

Legal Repository | DigiCert.com

[2]Certificate Policy:

Policy Identifier=2.23.140.1.2.1

密钥用法： Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

基本约束：

Subject Type=CA

Path Length Constraint=0

指纹： ed6302684a3259aa04f10fe9a97a8fd30b965d26

常规信息：

颁发给： Encryption Everywhere DV TLS CA - G2

颁发者： DigiCert Global Root G2

Harbor.ihlt.com_public的证书

常规信息：

颁发给： harbor.ihlt.com

颁发者： Encryption Everywhere DV TLS CA - G2

解决ssl certificates updated-生成环境中的实例

Configuration file of Harbor

The IP address or hostname to access admin UI and registry service.

DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

http related config

port for http, default is 80. If https enabled, this port will redirect to https port

https related config

https port for harbor, default is 443

The path of cert and key files for nginx