解决ssl certificates updated-生成环境中的实例

应原来小伙伴的要求，生产环境出错了，是harbor的ssl cert过期了，也因为使用的是免费的ssl证书，现在无法正常使用harbor，所以贴来了2023年1月曾经搭建的文档，希望能解决问题。^v^.

---

以下是历史正文记录：

最近发现其中一个域名的证书到期了，无赖，现在行情不好，所以没准备续费购买商用版的证书，自己搭建把。好几个ssl证书都颁发使用（如下域名服务），域名为阿里购买的，所以原来的证书也是阿里的。

写个docs，就是update harbor的ssh crt把。

0、登录：https://harbortest.ihlt.com即出现以下界面，配置了ssl证书想通过IP也访问不了！

登录aliyun申请免费的证书把，需要购买证书服务，用了公司的企业账号，一次性可以免费申请20个，但是并非是根证书哦。截图记录把。

这里我看了harbor原来的证书格式为crt，密钥为key

所以我下载了对应的nginx的

应该harbor的证书也是通过nginx来写的

harbor@uat-harbor01:~$ sudo -i

sudo\] password for harbor: root@uat-harbor01:\~# cd /root/harbor/ root@uat-harbor01:\~/harbor# ls common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare root@uat-harbor01:\~/harbor# ls common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare root@uat-harbor01:\~/harbor# cd /data/cert/ root@uat-harbor01:/data/cert# ls harbortest.ihlt.com.crt harbortest.ihlt.com.key root@uat-harbor01:/data/cert# root@uat-harbor01:\~/harbor# cat harbor.yml # Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: harbortest.ihlt.com # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/cert/harbortest.ihlt.com.crt private_key: /data/cert/harbortest.ihlt.com.key 依次操作如下图，     2、更新证书： 把下载的证书拷贝到对应的目录 通过finnalshell的sftp来直接拉传 root@uat-harbor01:/data/cert# ls harbortest.ihlt.com.crt harbortest.ihlt.com.key root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.crt harbortest.ihlt.com.crt0 root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.key harbortest.ihlt.com.key0 root@uat-harbor01:/data/cert# mv /tmp/harbortest.ihlt.com.\* ./ root@uat-harbor01:/data/cert# ls harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem root@uat-harbor01:/data/cert# ls -al total 24 drwxr-xr-x 2 root root 4096 Sep 1 09:19 . drwxr-xr-x 4 root root 4096 Oct 11 2022 .. -rw-r--r-- 1 harbor harbor 3805 Oct 11 2022 harbortest.ihlt.com.crt0 -rw-rw-r-- 1 harbor harbor 1675 Sep 1 09:13 harbortest.ihlt.com.key -rw-r--r-- 1 harbor harbor 1675 Oct 11 2022 harbortest.ihlt.com.key0 -rw-rw-r-- 1 harbor harbor 3813 Sep 1 09:13 harbortest.ihlt.com.pem root@uat-harbor01:/data/cert# 3、重启harbor 停止docker-compose down 重新执行./prepare 启动docker-compose up -d root@uat-harbor01:\~/harbor# ./prepare prepare base dir is set to /root/harbor Clearing the configuration file: /config/portal/nginx.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/log/logrotate.conf Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Traceback (most recent call last): File "/usr/src/app/main.py", line 15, in \ cli() File "/usr/lib/python3.10/site-packages/click/core.py", line 1137, in __call__ return self.main(\*args, \*\*kwargs) File "/usr/lib/python3.10/site-packages/click/core.py", line 1062, in main rv = self.invoke(ctx) File "/usr/lib/python3.10/site-packages/click/core.py", line 1668, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/lib/python3.10/site-packages/click/core.py", line 1404, in invoke return ctx.invoke(self.callback, \*\*ctx.params) File "/usr/lib/python3.10/site-packages/click/core.py", line 763, in invoke return __callback(\*args, \*\*kwargs) File "/usr/src/app/commands/prepare.py", line 47, in prepare prepare_nginx(config_dict) File "/usr/src/app/utils/nginx.py", line 23, in prepare_nginx render_nginx_template(config_dict) File "/usr/src/app/utils/nginx.py", line 56, in render_nginx_template prepare_nginx_certs(config_dict\['cert_key_path'\], config_dict\['cert_path'\]) File "/usr/src/app/utils/nginx.py", line 43, in prepare_nginx_certs shutil.copy2(host_ngx_cert_path, real_crt_path) File "/usr/lib/python3.10/shutil.py", line 434, in copy2 copyfile(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib/python3.10/shutil.py", line 254, in copyfile with open(src, 'rb') as fsrc: FileNotFoundError: \[Errno 2\] No such file or directory: '/hostfs/data/cert/harbortest.ihlt.com.crt' //马虎，提示没有这个文件，所以去看了下，忘记了上面的harbor.yml的crt而不是拷贝进来的pem，所以进入目录可以直接修改即可。 root@uat-harbor01:\~/harbor# cd /data/cert/ root@uat-harbor01:/data/cert# ls harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.pem harbortest.ihlt.com.crt root@uat-harbor01:\~/harbor# ./prepare prepare base dir is set to /root/harbor Clearing the configuration file: /config/portal/nginx.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/log/logrotate.conf Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /data/secret/keys/secretkey Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir root@uat-harbor01:\~/harbor# docker-compose up -d \[+\] Running 10/10 ⠿ Network harbor_harbor Created 0.2s ⠿ Container harbor-log Started 0.8s ⠿ Container registryctl Started 1.4s ⠿ Container harbor-portal Started 1.7s ⠿ Container redis Started 1.8s ⠿ Container registry Started 1.7s ⠿ Container harbor-db Started 1.3s ⠿ Container harbor-core Started 1.9s ⠿ Container nginx Started 2.3s ⠿ Container harbor-jobservice Started 2.2s root@uat-harbor01:\~/harbor# 再次访问：恢复正常了！  nginx更新证书-2023/10/19 公司的holitech.net的证书过期了，阿里云上购买了根证书。首先上传服务，然后替换对应的路径，可以查看nginx.conf的配置：路径，然后必须重启nginx服务。后端测试OK。。。。！ |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | \[root@k8s-ng2 paas\]# scp holitech.net.\* [email protected]:/root/ ssh: connect to host 10.6.200.223 port 22: Connection refused lost connection \[root@k8s-ng2 paas\]# scp holitech.net.\* [email protected]:/data/cert [email protected]'s password: holitech.net.key 100% 1679 18.3KB/s 00:00 holitech.net.pem 100% 3822 987.3KB/s 00:00 \[root@k8s-ng1 data\]# cd cert/ \[root@k8s-ng1 cert\]# ls 8631154__holitech.net.key holitech.net.key 8631154__holitech.net.pem holitech.net.pem \[root@k8s-ng1 cert\]# mv holitech.net.key 8631154__holitech.net.key mv：是否覆盖"8631154__holitech.net.key"？ y \[root@k8s-ng1 cert\]# mv holitech.net.pem 8631154__holitech.net.pem mv：是否覆盖"8631154__holitech.net.pem"？ y \[root@k8s-ng1 cert\]# whereis ngix ngix:\[root@k8s-ng1 cert\]# whereis nginx nginx: /usr/local/nginx \[root@k8s-ng1 cert\]# cd /usr/local/nginx/ \[root@k8s-ng1 nginx\]# ls client_body_temp fastcgi_temp logs sbin uwsgi_temp conf html proxy_temp scgi_temp \[root@k8s-ng1 nginx\]# cd sbin/ \[root@k8s-ng1 sbin\]# ls nginx \[root@k8s-ng1 sbin\]# ./nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful \[root@k8s-ng1 sbin\]# systemctl restart nginx \[root@k8s-ng2 paas\]# systemctl restart nginx | -------------------------------------------------------------------------------------------------------- crt证书信息：   Harbor.ihlt.com_chain的证书 **详细信息如下：** 版本 ：V3 序列号：0de0ffb5ee62cb61109f608c9ced5ed3 签名算法： sha256RSA 签名哈希算法： sha256 颁发者： CN = DigiCert Global Root G2 OU = [www.digicert.com](http://www.digicert.com "www.digicert.com") O = DigiCert Inc C = US 有效期从： Monday, ‎November ‎27, ‎2017 8:46:40 PM 到： ‎Saturday, ‎November ‎27, ‎2027 8:46:40 PM 使用者： CN = Encryption Everywhere DV TLS CA - G2 OU = [www.digicert.com](http://www.digicert.com "www.digicert.com") O = DigiCert Inc C = US 公钥： 30 82 01 0a 02 82 01 01 00 ef 14 7f 8e a2 fe 7a fb a6 48 13 0e a9 c4 79 22 1f 08 5a af 3e 75 2a dd a1 75 b4 c2 79 86 1f 4c 9c ee 8b 9a de 54 74 77 c1 1b 00 bd 4a 2f 97 8c ad 76 72 36 60 c4 e6 ec 2f a4 60 d6 78 ef 36 10 0c 27 82 6e 9c dd 09 18 64 49 19 27 af 6c 9b 00 de c7 3a f2 76 cf 43 3b 8a a7 92 5c f2 fa 6b ca 9d a6 b6 cd fc a5 20 97 a2 b3 d1 fa c7 21 42 2b 0a 03 b3 92 43 53 23 70 53 74 77 bb 5b ad c7 96 14 d6 f3 80 bd 9c b0 95 50 7a 88 0e 04 64 9e fc a6 44 21 9c 3a 81 72 ca 78 57 bb 9a ea 67 35 82 51 3a 2d a2 0b 5d 7e 1e e1 7b f6 20 2d b4 c7 37 d8 2b fa 50 ec 62 c5 8f f7 65 5f 8b ce 92 e7 92 51 6a f7 c5 ce 46 0c 24 20 92 f5 1e eb cf 85 af 32 bd bf 96 e8 98 ac 95 92 4b f8 72 c5 b6 27 68 c6 62 3b 42 6d d9 c8 85 7a e9 6e 77 dc 3b 06 16 29 85 26 4c f7 cb 41 9e 1d 6b 92 54 c6 c8 95 fb 02 03 01 00 01 公钥参数： 05 00 使用者密钥标识符：78df91905feedeacf6c575ebd54c5553ef244ab6 授权密钥标识符： KeyID=4e2254201895e6e36ee60ffafab912ed06178f39 增强型密钥用法： 服务器身份验证 (1.3.6.1.5.5.7.3.1) 客户端身份验证 (1.3.6.1.5.5.7.3.2) 授权信息访问： \[1\]Authority Info Access Access Method=联机证书状态协议 (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://ocsp.digicert.com CRL分发点： \[1\]CRL Distribution Point Distribution Point Name: Full Name: URL=http://crl3.digicert.com/DigiCertGlobalRootG2.crl 证书策略： \[1\]Certificate Policy: Policy Identifier=2.16.840.1.114412.1.2 \[1,1\]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: [Legal Repository \| DigiCert.com](https://www.digicert.com/CPS "Legal Repository | DigiCert.com") \[2\]Certificate Policy: Policy Identifier=2.23.140.1.2.1 密钥用法： Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86) 基本约束： Subject Type=CA Path Length Constraint=0 指纹： ed6302684a3259aa04f10fe9a97a8fd30b965d26 **常规信息：** 颁发给： Encryption Everywhere DV TLS CA - G2 颁发者： DigiCert Global Root G2 Harbor.ihlt.com_public的证书 **常规信息：** 颁发给： harbor.ihlt.com 颁发者： Encryption Everywhere DV TLS CA - G2