备份证书
cp -R /etc/ssl/registry/ssl /etc/ssl/registry/ssl-bak
删除旧证书并进入证书目录
rm -f /etc/ssl/registry/ssl/* cd /etc/ssl/registry/ssl/
生成harbor证书,有效期设置为10年
openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=registry-ca" -key ca.key -out ca.crt openssl genrsa -out xxx.xxx.com.key 2048 openssl req -sha512 -new -subj "/CN=registry-ca" -key xxx.xxx.com.key -out xxx.xxx.com.csr
配置签名信息
cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = dockerhub DNS.2 = harbor DNS.3 = xxx.xxx.com IP.1 = 192.168.1.11 EOF
生成证书
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in xxx.xxx.com.csr -out xxx.xxx.com.crt openssl x509 -inform PEM -in xxx.xxx.com.crt -out xxx.xxx.com.cert
复制并重命名harbor配置中引用的证书
cp xxx.xxx.com.crt xxx.xxx.com.pem cp xxx.xxx.com.key xxx.xxx.com-key.pem
备份docker登录harbor的证书,清除旧证书,若文件夹不存在需创建
cp -R /etc/docker/certs.d/xxx.xxx.com /etc/docker/certs.d/xxx.xxx.com-bak rm -rf /etc/docker/certs.d/xxx.xxx.com/* #mkdir /etc/docker/certs.d/xxx.xxx.com
复制harbor的证书到docker的证书目录
cp ca.crt /etc/docker/certs.d/xxx.xxx.com cp xxx.xxx.com.cert /etc/docker/certs.d/xxx.xxx.com cp xxx.xxx.com.key /etc/docker/certs.d/xxx.xxx.com
进入harbor配置目录
cd /opt/harbor/
重新配置harbor
./prepare
重启harbor(若有停止失败的报错,停止docker服务systemctl stop docker 再次执行down命令即可)
docker-compose down -v docker-compose up -d
