应原来小伙伴的要求,生产环境出错了,是harbor的ssl cert过期了,也因为使用的是免费的ssl证书,现在无法正常使用harbor,所以贴来了2023年1月曾经搭建的文档,希望能解决问题。^v^.
以下是历史正文记录:
最近发现其中一个域名的证书到期了,无赖,现在行情不好,所以没准备续费购买商用版的证书,自己搭建把。好几个ssl证书都颁发使用(如下域名服务),域名为阿里购买的,所以原来的证书也是阿里的。
写个docs,就是update harbor的ssh crt把。
0、登录:https://harbortest.ihlt.com即出现以下界面,配置了ssl证书想通过IP也访问不了!
登录aliyun申请免费的证书把,需要购买证书服务,用了公司的企业账号,一次性可以免费申请20个,但是并非是根证书哦。截图记录把。
这里我看了harbor原来的证书格式为crt,密钥为key
所以我下载了对应的nginx的
应该harbor的证书也是通过nginx来写的
harbor@uat-harbor01:~$ sudo -i
[sudo] password for harbor:
root@uat-harbor01:~# cd /root/harbor/
root@uat-harbor01:~/harbor# ls
common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
root@uat-harbor01:~/harbor# ls
common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
root@uat-harbor01:~/harbor# cd /data/cert/
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt harbortest.ihlt.com.key
root@uat-harbor01:/data/cert#
root@uat-harbor01:~/harbor# cat harbor.yml
Configuration file of Harbor
The IP address or hostname to access admin UI and registry service.
DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbortest.ihlt.com
http related config
http:
port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
https related config
https:
https port for harbor, default is 443
port: 443
The path of cert and key files for nginx
certificate: /data/cert/harbortest.ihlt.com.crt
private_key: /data/cert/harbortest.ihlt.com.key
依次操作如下图,
2、更新证书:
把下载的证书拷贝到对应的目录
通过finnalshell的sftp来直接拉传
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt harbortest.ihlt.com.key
root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.crt harbortest.ihlt.com.crt0
root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.key harbortest.ihlt.com.key0
root@uat-harbor01:/data/cert# mv /tmp/harbortest.ihlt.com.* ./
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem
root@uat-harbor01:/data/cert# ls -al
total 24
drwxr-xr-x 2 root root 4096 Sep 1 09:19 .
drwxr-xr-x 4 root root 4096 Oct 11 2022 ..
-rw-r--r-- 1 harbor harbor 3805 Oct 11 2022 harbortest.ihlt.com.crt0
-rw-rw-r-- 1 harbor harbor 1675 Sep 1 09:13 harbortest.ihlt.com.key
-rw-r--r-- 1 harbor harbor 1675 Oct 11 2022 harbortest.ihlt.com.key0
-rw-rw-r-- 1 harbor harbor 3813 Sep 1 09:13 harbortest.ihlt.com.pem
root@uat-harbor01:/data/cert#
3、重启harbor
停止docker-compose down
重新执行./prepare
启动docker-compose up -d
root@uat-harbor01:~/harbor# ./prepare
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Traceback (most recent call last):
File "/usr/src/app/main.py", line 15, in <module>
cli()
File "/usr/lib/python3.10/site-packages/click/core.py", line 1137, in call
return self.main(*args, **kwargs)
File "/usr/lib/python3.10/site-packages/click/core.py", line 1062, in main
rv = self.invoke(ctx)
File "/usr/lib/python3.10/site-packages/click/core.py", line 1668, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3.10/site-packages/click/core.py", line 763, in invoke
return __callback(*args, **kwargs)
File "/usr/src/app/commands/prepare.py", line 47, in prepare
prepare_nginx(config_dict)
File "/usr/src/app/utils/nginx.py", line 23, in prepare_nginx
render_nginx_template(config_dict)
File "/usr/src/app/utils/nginx.py", line 56, in render_nginx_template
prepare_nginx_certs(config_dict['cert_key_path'], config_dict['cert_path'])
File "/usr/src/app/utils/nginx.py", line 43, in prepare_nginx_certs
shutil.copy2(host_ngx_cert_path, real_crt_path)
File "/usr/lib/python3.10/shutil.py", line 434, in copy2
copyfile(src, dst, follow_symlinks=follow_symlinks)
File "/usr/lib/python3.10/shutil.py", line 254, in copyfile
with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: '/hostfs/data/cert/harbortest.ihlt.com.crt'
//马虎,提示没有这个文件,所以去看了下,忘记了上面的harbor.yml的crt而不是拷贝进来的pem,所以进入目录可以直接修改即可。
root@uat-harbor01:~/harbor# cd /data/cert/
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem
root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.pem harbortest.ihlt.com.crt
root@uat-harbor01:~/harbor# ./prepare
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
root@uat-harbor01:~/harbor# docker-compose up -d
[+] Running 10/10
⠿ Network harbor_harbor Created 0.2s
⠿ Container harbor-log Started 0.8s
⠿ Container registryctl Started 1.4s
⠿ Container harbor-portal Started 1.7s
⠿ Container redis Started 1.8s
⠿ Container registry Started 1.7s
⠿ Container harbor-db Started 1.3s
⠿ Container harbor-core Started 1.9s
⠿ Container nginx Started 2.3s
⠿ Container harbor-jobservice Started 2.2s
root@uat-harbor01:~/harbor#
再次访问:恢复正常了!
nginx更新证书-2023/10/19
公司的holitech.net的证书过期了,阿里云上购买了根证书。首先上传服务,然后替换对应的路径,可以查看nginx.conf的配置:路径,然后必须重启nginx服务。后端测试OK。。。。!
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [root@k8s-ng2 paas]# scp holitech.net.* root@10.6.200.223:/root/ ssh: connect to host 10.6.200.223 port 22: Connection refused lost connection [root@k8s-ng2 paas]# scp holitech.net.* root@10.0.200.223:/data/cert root@10.0.200.223's password: holitech.net.key 100% 1679 18.3KB/s 00:00 holitech.net.pem 100% 3822 987.3KB/s 00:00 [root@k8s-ng1 data]# cd cert/ [root@k8s-ng1 cert]# ls 8631154__holitech.net.key holitech.net.key 8631154__holitech.net.pem holitech.net.pem [root@k8s-ng1 cert]# mv holitech.net.key 8631154__holitech.net.key mv:是否覆盖"8631154__holitech.net.key"? y [root@k8s-ng1 cert]# mv holitech.net.pem 8631154__holitech.net.pem mv:是否覆盖"8631154__holitech.net.pem"? y [root@k8s-ng1 cert]# whereis ngix ngix:[root@k8s-ng1 cert]# whereis nginx nginx: /usr/local/nginx [root@k8s-ng1 cert]# cd /usr/local/nginx/ [root@k8s-ng1 nginx]# ls client_body_temp fastcgi_temp logs sbin uwsgi_temp conf html proxy_temp scgi_temp [root@k8s-ng1 nginx]# cd sbin/ [root@k8s-ng1 sbin]# ls nginx [root@k8s-ng1 sbin]# ./nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@k8s-ng1 sbin]# systemctl restart nginx [root@k8s-ng2 paas]# systemctl restart nginx |
crt证书信息:
Harbor.ihlt.com_chain的证书
详细信息如下:
版本 :V3
序列号:0de0ffb5ee62cb61109f608c9ced5ed3
签名算法: sha256RSA
签名哈希算法: sha256
颁发者:
CN = DigiCert Global Root G2
OU = www.digicert.com
O = DigiCert Inc
C = US
有效期从: Monday, November 27, 2017 8:46:40 PM
到: Saturday, November 27, 2027 8:46:40 PM
使用者:
CN = Encryption Everywhere DV TLS CA - G2
OU = www.digicert.com
O = DigiCert Inc
C = US
公钥:
30 82 01 0a 02 82 01 01 00 ef 14 7f 8e a2 fe 7a fb a6 48 13 0e a9 c4 79 22 1f 08 5a af 3e 75 2a dd a1 75 b4 c2 79 86 1f 4c 9c ee 8b 9a de 54 74 77 c1 1b 00 bd 4a 2f 97 8c ad 76 72 36 60 c4 e6 ec 2f a4 60 d6 78 ef 36 10 0c 27 82 6e 9c dd 09 18 64 49 19 27 af 6c 9b 00 de c7 3a f2 76 cf 43 3b 8a a7 92 5c f2 fa 6b ca 9d a6 b6 cd fc a5 20 97 a2 b3 d1 fa c7 21 42 2b 0a 03 b3 92 43 53 23 70 53 74 77 bb 5b ad c7 96 14 d6 f3 80 bd 9c b0 95 50 7a 88 0e 04 64 9e fc a6 44 21 9c 3a 81 72 ca 78 57 bb 9a ea 67 35 82 51 3a 2d a2 0b 5d 7e 1e e1 7b f6 20 2d b4 c7 37 d8 2b fa 50 ec 62 c5 8f f7 65 5f 8b ce 92 e7 92 51 6a f7 c5 ce 46 0c 24 20 92 f5 1e eb cf 85 af 32 bd bf 96 e8 98 ac 95 92 4b f8 72 c5 b6 27 68 c6 62 3b 42 6d d9 c8 85 7a e9 6e 77 dc 3b 06 16 29 85 26 4c f7 cb 41 9e 1d 6b 92 54 c6 c8 95 fb 02 03 01 00 01
公钥参数: 05 00
使用者密钥标识符:78df91905feedeacf6c575ebd54c5553ef244ab6
授权密钥标识符: KeyID=4e2254201895e6e36ee60ffafab912ed06178f39
增强型密钥用法:
服务器身份验证 (1.3.6.1.5.5.7.3.1)
客户端身份验证 (1.3.6.1.5.5.7.3.2)
授权信息访问:
[1]Authority Info Access
Access Method=联机证书状态协议 (1.3.6.1.5.5.7.48.1)
Alternative Name:
CRL分发点:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl3.digicert.com/DigiCertGlobalRootG2.crl
证书策略:
[1]Certificate Policy:
Policy Identifier=2.16.840.1.114412.1.2
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
Legal Repository | DigiCert.com
[2]Certificate Policy:
Policy Identifier=2.23.140.1.2.1
密钥用法: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
基本约束:
Subject Type=CA
Path Length Constraint=0
指纹: ed6302684a3259aa04f10fe9a97a8fd30b965d26
常规信息:
颁发给: Encryption Everywhere DV TLS CA - G2
颁发者: DigiCert Global Root G2
Harbor.ihlt.com_public的证书
常规信息:
颁发给: harbor.ihlt.com
颁发者: Encryption Everywhere DV TLS CA - G2