harbor使用https之证书生成

https://goharbor.io/docs/2.9.0/install-config/configure-https/

但我们使用harbor的时候，用https方式，需要用到tls证书。本文给出来一站式的证书生成命令

本文使用的域名：harbor.global-fairy.top，端口号 9443

注:除了在dockers证书路径上不是单纯的域名，而是域名：端口号 的格式。但是在别的地方， 无论是harbor的yml文件还是证书生成时候指定的域名，一律只是单纯的域名，不带端口号！

# 1.生成根证
mkdir /opt/software/certworkspace
cd /opt/software/certworkspace
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 36500 \
 -subj "/C=CN/ST=SD/L=QD/O=DDD/OU=MU/CN=harbor.global-fairy.top" \
 -key ca.key \
 -out ca.crt

# 2.生成服务器证书
#生成key
openssl genrsa -out harbor.global-fairy.top.key 4096
#生成csr证书
openssl req -sha512 -new \
    -subj "/C=CN/ST=SD/L=QD/O=DDD/OU=MU/CN=harbor.global-fairy.top" \
    -key harbor.global-fairy.top.key \
    -out harbor.global-fairy.top.csr
	
#3.x509 v3 附件文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.global-fairy.top
DNS.2=*.global-fairy.top
DNS.3=hostname
EOF
#4.生成harbor服务器证书
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in harbor.global-fairy.top.csr \
    -out harbor.global-fairy.top.crt
#5.复制生成的文件到harbor
cp harbor.global-fairy.top.crt /opt/data/docker/certs/
cp harbor.global-fairy.top.key /opt/data/docker/certs/

#6.复制生成的文件到docker
#由根证书crt转换到cert客户端证书
openssl x509 -inform PEM -in harbor.global-fairy.top.crt -out harbor.global-fairy.top.cert
#复制客户端证书,根证书到dockers证书文件夹。
#注意：如果显示指定了端口号，这里的域名后面需要加端口号.本文harbor yml文件指定的端口是9443，所以本文需要增加端口号。只在路径上加。其他配置等地方统统不加
mkdir /etc/docker/certs.d/harbor.global-fairy.top:9443
cp harbor.global-fairy.top.cert /etc/docker/certs.d/harbor.global-fairy.top:9443
cp harbor.global-fairy.top.key /etc/docker/certs.d/harbor.global-fairy.top:9443
cp ca.crt /etc/docker/certs.d/harbor.global-fairy.top:9443


# 配置
cd /opt/software/harbor
./prepare
#关闭docker-compose
docker-compose down -v
docker-compose up -d

#登录，带端口号
docker login harbor.global-fairy.top:9443

参考原文：

By default, Harbor does not ship with certificates. It is possible to deploy Harbor without security, so that you can connect to it over HTTP. However, using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. In production environments, always use HTTPS.

To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use OpenSSL to create a CA, and how to use your CA to sign a server certificate and a client certificate. You can use other CA providers, for example Let's Encrypt.

The procedures below assume that your Harbor registry's hostname is yourdomain.com, and that its DNS record points to the host on which you are running Harbor.

Generate a Certificate Authority Certificate

In a production environment, you should obtain a certificate from a CA. In a test or development environment, you can generate your own CA. To generate a CA certficate, run the following commands.

1. Generate a CA certificate private key.

   openssl genrsa -out ca.key 4096

2. Generate the CA certificate.

   Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute.

   openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key ca.key \
    -out ca.crt

Generate a Server Certificate

The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key.

1. Generate a private key.

   openssl genrsa -out yourdomain.com.key 4096

2. Generate a certificate signing request (CSR).

   Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute and use it in the key and CSR filenames.

   openssl req -sha512 -new \
       -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
       -key yourdomain.com.key \
       -out yourdomain.com.csr

3. Generate an x509 v3 extension file.

   Regardless of whether you're using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the DNS entries to reflect your domain.

   cat > v3.ext <<-EOF
   authorityKeyIdentifier=keyid,issuer
   basicConstraints=CA:FALSE
   keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth
   subjectAltName = @alt_names
   
   [alt_names]
   DNS.1=yourdomain.com
   DNS.2=yourdomain
   DNS.3=hostname
   EOF

4. Use the v3.ext file to generate a certificate for your Harbor host.

   Replace the yourdomain.com in the CSR and CRT file names with the Harbor host name.

   openssl x509 -req -sha512 -days 3650 \
       -extfile v3.ext \
       -CA ca.crt -CAkey ca.key -CAcreateserial \
       -in yourdomain.com.csr \
       -out yourdomain.com.crt

Provide the Certificates to Harbor and Docker

After generating the ca.crt, yourdomain.com.crt, and yourdomain.com.key files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them.

1. Copy the server certificate and key into the certficates folder on your Harbor host.

   cp yourdomain.com.crt /data/cert/
   cp yourdomain.com.key /data/cert/

2. Convert yourdomain.com.crt to yourdomain.com.cert, for use by Docker.

   The Docker daemon interprets .crt files as CA certificates and .cert files as client certificates.

   openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert

3. Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.

   cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
   cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
   cp ca.crt /etc/docker/certs.d/yourdomain.com/

   If you mapped the default nginx port 443 to a different port, create the folder /etc/docker/certs.d/yourdomain.com:port, or /etc/docker/certs.d/harbor_IP:port.

4. Restart Docker Engine.

   systemctl restart docker

You might also need to trust the certificate at the OS level. See Troubleshooting Harbor Installation for more information.

The following example illustrates a configuration that uses custom certificates.

/etc/docker/certs.d/
    └── yourdomain.com:port
       ├── yourdomain.com.cert  <-- Server certificate signed by CA
       ├── yourdomain.com.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate

Deploy or Reconfigure Harbor

If you have not yet deployed Harbor, see Configure the Harbor YML File for information about how to configure Harbor to use the certificates by specifying the hostname and https attributes in harbor.yml.

If you already deployed Harbor with HTTP and want to reconfigure it to use HTTPS, perform the following steps.

1. Run the prepare script to enable HTTPS.

   Harbor uses an nginx instance as a reverse proxy for all services. You use the prepare script to configure nginx to use HTTPS. The prepare is in the Harbor installer bundle, at the same level as the install.sh script.

   ./prepare

2. If Harbor is running, stop and remove the existing instance.

   Your image data remains in the file system, so no data is lost.

   docker-compose down -v

3. Restart Harbor:

   docker-compose up -d

Verify the HTTPS Connection

After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps.

• Open a browser and enter https://yourdomain.com. It should display the Harbor interface.

  Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning.

• On a machine that runs the Docker daemon, check the /etc/docker/daemon.json file to make sure that the -insecure-registry option is not set for https://yourdomain.com.

• Log into Harbor from the Docker client.

  docker login yourdomain.com

  If you've mapped nginx 443 port to a different port,add the port in the login command.

  docker login yourdomain.com:port

What to Do Next

• If the verification succeeds, see Harbor Administration for information about using Harbor.
• If installation fails, see Troubleshooting Harbor Installation.