參考文檔:
https://goharbor.io/docs/2.5.0/install-config/configure-https/
自簽名CA機(jī)構(gòu):
root@ecs-67093:/apps# mkdir /apps/harbor/certs
root@ecs-67093:/apps/harbor/certs# cd /apps/harbor/certs
root@ecs-67093:/apps/harbor/certs# openssl genrsa -out ca.key 4096
root@ecs-67093:/apps/harbor/certs# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=magedu.com" \
> -key ca.key \
> -out ca.crt
客戶端域名證書申請:
root@ecs-67093:/apps/harbor# touch /root/.rnd? # Ubuntu系統(tǒng)用于保存證書信息,如果沒有北发,簽發(fā)csr時會告警,但是不影響使用
root@ecs-67093:/apps/harbor/certs# openssl genrsa -out magedu.net.key 4096? # 生成harbor的私鑰
root@ecs-67093:/apps/harbor/certs# openssl req -sha512 -new \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=magedu.net" \
> -key magedu.net.key \
> -out magedu.net.csr? # 使用harbor的私鑰生成csr
準(zhǔn)備簽發(fā)環(huán)境:
root@ecs-67093:/apps/harbor/certs# cat > v3.ext <<-EOF? # 生成文本文件
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1=magedu.com
> DNS.2=harbor.magedu.net
> DNS.3=harbor.magedu.local
> EOF
使用自簽名CA簽發(fā)證書:
root@ecs-67093:/apps/harbor/certs# openssl x509 -req -sha512 -days 3650 \
> -extfile v3.ext \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in magedu.net.csr \
> -out magedu.net.crt? # 生成公鑰
拷貝公鑰到客戶端:
mkdir /etc/docker/certs.d/harbor.magedu.net -p
