大家好，又见面了，我是你们的朋友全栈君。

在前面的介绍中，缺省使用了http的方式，而考虑安全的角度，容器的仓库在生产环境中往往被设定为https的方式，而harbor将这些证书的创建和设定都进行了简单的集成，这篇文章来看一下在harbor下如何使用https的方式。

Step 1：创建CA

[root@liumiao ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
...........................................................++
......................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:LiaoNing
Locality Name (eg, city) [Default City]:DaLian
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Reg
Common Name (eg, your name or your server's hostname) []:192.168.163.128
Email Address []:liumiaocn@outlook.com
[root@liumiao ~]#

Step 2：创建证书请求文件csr

[root@liumiao ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.163.128.key -out 192.168.163.128.csr
Generating a 4096 bit RSA private key
...........................++
.............................++
writing new private key to '192.168.163.128.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:LiaoNing
Locality Name (eg, city) [Default City]:DaLian
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Reg
Common Name (eg, your name or your server's hostname) []:192.168.163.128
Email Address []:liumiaocn@outlook.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:liumiaopw
An optional company name []:devops
[root@liumiao ~]# 

Step 3：创建证书

[root@liumiao ~]# echo subjectAltName = IP:192.168.163.128 > extfile.cnf
[root@liumiao ~]# openssl x509 -req -days 365 -in 192.168.163.128.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.163.128.crt
Signature ok
subject=/C=CN/ST=LiaoNing/L=DaLian/O=DevOps/OU=Reg/CN=192.168.163.128/emailAddress=liumiaocn@outlook.com
Getting CA Private Key
[root@liumiao ~]#

Step 4：设定证书&修改

将证书拷贝到/root/cert, 后面将harbor.cfg中的路径也同样设定

[root@liumiao ~]# ls
ca.crt  ca.key  ca.srl  harbor.com.crt  harbor.com.csr  harbor.com.key
[root@liumiao ~]#
[root@liumiao ~]# mkdir -p /root/cert/
[root@liumiao ~]# cp harbor.com.crt /root/cert
[root@liumiao ~]# cp harbor.com.key /root/cert
[root@liumiao ~]# ls /root/cert
harbor.com.crt  harbor.com.key
[root@liumiao ~]#

修改harbor.cfg的如下设定：

Step 5:

从docker的systemd设定文件的dockerd的启动参数中，删除如下设定：

--insecure-registry 192.168.163.128

Step 6： 修改docker-compose.yml

修改docker-compose.yml，https宿主端口443 -> 8848

  proxy:
    image: vmware/nginx-photon:v1.5.2
    container_name: nginx
    restart: always
    volumes:
      - ./common/config/nginx:/etc/nginx:z     networks:
      - harbor     ports:
      - 80:80       - 8848:443       - 4443:4443     depends_on:
      - mysql       - registry       - ui       - log     logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy

Step 7:重启harbor

停止当前harbor服务

[root@liumiao harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-ui ... done
Stopping harbor-adminserver ... done
Stopping registry ... done
Stopping redis ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-ui ... done
Removing harbor-adminserver ... done
Removing registry ... done
Removing redis ... done
Removing harbor-db ... done
Removing harbor-log ... done
Removing network harbor_harbor
[root@liumiao harbor]#

起效docker设定

因为删除了insecure registry的设定，所以需要sytemd的命令使之起效

[root@liumiao harbor]# systemctl daemon-reload
[root@liumiao harbor]# systemctl restart docker
[root@liumiao harbor]# 

执行prepare

[root@liumiao harbor]# ./prepare 
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@liumiao harbor]# 

启动harbor

[root@liumiao harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... 
Creating harbor-log ... done
Creating redis ... 
Creating registry ... 
Creating harbor-db ... 
Creating harbor-adminserver ... 
Creating harbor-db
Creating redis
Creating registry
Creating registry ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating nginx ... 
Creating harbor-jobservice ... 
Creating nginx
Creating nginx ... done
[root@liumiao harbor]#

确认结果

使用docker login确认

[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password: 
Login Succeeded
[root@liumiao ~]# 

或者使用-u和-p结合直接输入用户名和密码进行login

[root@liumiao ~]# docker logout
Not logged in to https://index.docker.io/v1/
[root@liumiao ~]# docker login -u admin -p liumiaopw 192.168.163.128:8848
Login Succeeded
[root@liumiao ~]#

确认https的访问

[root@liumiao ~]# curl -k -v https://192.168.163.128:8848 
* About to connect() to 192.168.163.128 port 8848 (#0)
*   Trying 192.168.163.128...
* Connected to 192.168.163.128 (192.168.163.128) port 8848 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: E=liumiaocn@outlook.com,CN=192.168.163.128,OU=Reg,O=DevOps,L=DaLian,ST=LiaoNing,C=CN
*   start date: Aug 19 01:24:44 2018 GMT
*   expire date: Aug 19 01:24:44 2019 GMT
*   common name: 192.168.163.128
*   issuer: E=liumiaocn@outlook.com,CN=192.168.163.128,OU=Reg,O=DevOps,L=DaLian,ST=LiaoNing,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.163.128:8848
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sun, 19 Aug 2018 02:06:02 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 810
< Connection: keep-alive
< Set-Cookie: beegosessionID=34cb9b83a97fe53425657460a1d88a38; Path=/; secure; HttpOnly
< 
<!doctype html>
<html>
...省略
</html>
* Connection #0 to host 192.168.163.128 left intact
[root@liumiao ~]#

页面确认

常见错误

一般来说https的方式只要hostname/docker-compose.yml配置正确，prepare没有忘记执行，一般来说不会出错，出错的大概率可能在于docker login，一般因为一般需要设定OS和docker中的ca和证书操作未执行的缘故。

signed by unknown authority

CA是收费验证的机构，而这里我们自己签的显然不是其他人所能接受的，所以我们需要将我们做的CA添加到信任OS的信任列表中，不然可能会出现诸如如下的错误信息

[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password: 
Error response from daemon: Get https://192.168.163.128:8848/v1/users/: x509: certificate signed by unknown authority
[root@liumiao ~]# 

对应方法

将证书添加到OS信任的列表中即可

[root@liumiao ~]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# cat 192.168.163.128.crt >>/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# 

然后重启docker，这个问题一般即可解决

parent certificate cannot sign this kind of certificate

[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password: 
Error response from daemon: Get https://192.168.163.128:8848/v1/users/: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "192.168.163.128")
[root@liumiao ~]# 

对应方法

将ca证书添加到docker信任路径下，并重启docker即可

[root@liumiao ~]# ls
192.168.163.128.crt  192.168.163.128.csr  192.168.163.128.key  ca.crt  ca.key  ca.srl  cert  extfile.cnf
[root@liumiao ~]# mkdir -p /etc/docker/certs.d/192.168.163.128:8848/
[root@liumiao ~]# cp ca.crt /etc/docker/certs.d/192.168.163.128:8848/
[root@liumiao ~]# systemctl restart docker
[root@liumiao ~]#

参考内容

https://github.com/goharbor/harbor/blob/master/docs/configure_https.md