Harbor自建证书实现Https访问

一、环境准备

主机名:harbor250.lyx.com IP:10.0.0.250

二、 准备Harbor安装包

root@harbor250:~# wget https://github.com/goharbor/harbor/releases/download/v2.12.2/harbor-offline-installer-v2.12.2.tgz

三、 安装docker,docker-compose并解压harbor安装包

root@harbor250:~# tar xf oldboyedu-autoinstall-docker-docker-compose.tar.gz

root@harbor250:~# ./install-docker.sh i

root@harbor250:~# tar xf harbor-offline-installer-v2.12.2.tgz -C /usr/local/

四、 配置CA证书

1、进入到harbor程序根目录

root@harbor250:/usr/local/harbor# ll

total 636508

drwxr-xr-x 2 root root 4096 Mar 25 10:30 ./

drwxr-xr-x 11 root root 4096 Mar 25 10:30 ../

-rw-r--r-- 1 root root 3646 Jan 16 22:10 common.sh

-rw-r--r-- 1 root root 651727378 Jan 16 22:11 harbor.v2.12.2.tar.gz

-rw-r--r-- 1 root root 14288 Jan 16 22:10 harbor.yml.tmpl

-rwxr-xr-x 1 root root 1975 Jan 16 22:10 install.sh*

-rw-r--r-- 1 root root 11347 Jan 16 22:10 LICENSE

-rwxr-xr-x 1 root root 2211 Jan 16 22:10 prepare*

2、创建存放证书的目录

root@harbor250:/usr/local/harbor# mkdir -pv certs/{ca,harbor-server,docker-client}

mkdir: created directory 'certs'

mkdir: created directory 'certs/ca'

mkdir: created directory 'certs/harbor-server'

mkdir: created directory 'certs/docker-client'

root@harbor250:/usr/local/harbor# tree certs

certs

├── ca

├── docker-client

└── harbor-server

3 directories, 0 files

3、 创建CA的私钥

root@harbor250:/usr/local/harbor# cd certs/

root@harbor250:/usr/local/harbor/certs# openssl genrsa -out ca/ca.key 4096

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ └── ca.key

├── docker-client

└── harbor-server

3 directories, 1 file

4、 基于自建的CA私钥创建CA证书(注意,证书签发的域名范围)

root@harbor250:/usr/local/harbor/certs# openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=oldboyedu.com" \

-key ca/ca.key \

-out ca/ca.crt

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

3 directories, 2 files

5、查看自建证书信息

root@harbor250:/usr/local/harbor/certs# openssl x509 -in ca/ca.crt -noout -text

五、 配置harbor服务端证书

1、生成harbor服务器私钥

root@harbor250:/usr/local/harbor/certs# openssl genrsa -out harbor-server/harbor250.oldboyedu.com.key 4096

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

└── harbor250.oldboyedu.com.key

3 directories, 3 files

2、 harbor服务器基于私钥签发证书认证请求(csr文件)让自建CA认证

root@harbor250:/usr/local/harbor/certs# openssl req -sha512 -new \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor250.oldboyedu.com" \

-key harbor-server/harbor250.oldboyedu.com.key \

-out harbor-server/harbor250.oldboyedu.com.csr

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.csr

└── harbor250.oldboyedu.com.key

3 directories, 4 files

3、 生成x509 v3 的扩展文件用于认证

root@harbor250:/usr/local/harbor/certs# cat > harbor-server/v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

alt_names

DNS.1=harbor250.oldboyedu.com

EOF

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 5 files

4、基于 x509 v3 的扩展文件认证签发harbor server证书

root@harbor250:/usr/local/harbor/certs# openssl x509 -req -sha512 -days 3650 \

-extfile harbor-server/v3.ext \

-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \

-in harbor-server/harbor250.oldboyedu.com.csr \

-out harbor-server/harbor250.oldboyedu.com.crt

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.crt

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 6 files

5、修改harbor的配置文件使用自建证书

root@harbor250:/usr/local/harbor/certs# cp ../harbor.yml{.tmpl,}

root@harbor250:/usr/local/harbor/certs# vim ../harbor.yml

...

hostname: harbor250.oldboyedu.com

https:

...

certificate: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.crt

private_key: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.key

...

harbor_admin_password: 1

...

data_volume: /var/lib/harbor

...

6、安装harbor服务

root@harbor250:/usr/local/harbor/certs# ../install.sh

六、访问harbor的webUI

#在windows上做hosts解析

10.0.0.250 harbor250.oldboyedu.com

#访问测试

https://harbor250.oldboyedu.com/harbor/projects/1/repositories

七、 配置docker客户端证书

1、生成docker客户端证书

root@harbor250:/usr/local/harbor/certs# cp ca/ca.crt harbor-server/harbor250.oldboyedu.com.key docker-client/

root@harbor250:/usr/local/harbor/certs# cp harbor-server/harbor250.oldboyedu.com.crt docker-client/harbor250.oldboyedu.com.cert

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

│ ├── ca.crt

│ ├── harbor250.oldboyedu.com.cert

│ └── harbor250.oldboyedu.com.key

└── harbor-server

├── harbor250.oldboyedu.com.crt

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 9 files

2、docker客户端创建自建证书的目录结构(注意域名的名称和目录要一致~)

root@elk91:~# mkdir -pv /etc/docker/certs.d/harbor250.oldboyedu.com/

3、 拷贝docker client证书文件到客户端

root@elk91:~# echo 10.0.0.250 harbor250.oldboyedu.com >> /etc/hosts

root@elk91:~# scp harbor250.oldboyedu.com:/usr/local/harbor/certs/docker-client/* /etc/docker/certs.d/harbor250.oldboyedu.com/

root@elk91:~# ll /etc/docker/certs.d/harbor250.oldboyedu.com/

total 20

drwxr-xr-x 2 root root 4096 Mar 25 12:10 ./

drwxr-xr-x 3 root root 4096 Mar 25 12:01 ../

-rw-r--r-- 1 root root 2049 Mar 25 12:10 ca.crt

-rw-r--r-- 1 root root 2155 Mar 25 12:10 harbor250.oldboyedu.com.cert

-rw------- 1 root root 3272 Mar 25 12:10 harbor250.oldboyedu.com.key

4、 客户端登录测试

root@elk91:~# docker login -u admin -p 1 harbor250.oldboyedu.com

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

相关推荐
CryptoPP42 分钟前
基于WebSocket的金融数据实时推送系统架构设计对接多国金融数据API
websocket·网络协议·金融·系统架构·区块链
WoTrusSSL1 小时前
SSL证书如何保障人脸识别系统安全?
网络协议·系统安全·ssl
Dontla3 小时前
Python Flask并发demo(http并发与锁)独占接口、monkey功能还不太确定
python·http·flask
智联视频超融合平台3 小时前
视频联网平台智慧运维系统:智能时代的城市视觉中枢
运维·网络协议·安全·音视频·智慧城市·视频编解码
金丝猴也是猿5 小时前
如何抓取手机与服务器通信包?三种方法详解
websocket·网络协议·tcp/ip·http·网络安全·https·udp
不做菜鸟的网工6 小时前
H3C防火墙VPN实例旁挂+双机热备部署实验
网络协议
IPFLY代理6 小时前
OpenAI 时代:代理 IP 的关键作用,吉卜力画风争议下的技术展望
网络·网络协议·tcp/ip
whltaoin7 小时前
深入解析HTTP请求方法:Spring Boot实战与最佳实践
spring boot·http
黄名富7 小时前
TCP/IP协议的应用层与传输层
网络·网络协议·tcp/ip·http·https
兴达易控7 小时前
Modbus TCP转Profibus DP网关接防撞雷达与PLC通讯
网络协议·modbus