Harbor docker login x509 certificate signed by unknown authority

Harbor docker login x509 certificate signed by unknown authority

前言

在CentOS7上用Harbor搭建好私有Docker registry并配置好HTTPS访问后，用docker login时出错：

Error response from daemon: Get https://192.168.37.170/v1/users/: x509: certificate signed by unknown authority

解决这个问题的简单方式就是仍然用insecure-registries方式，参见搭建Harbor镜像仓库 HTTP Insecure Registry的“配置Insecure Registry”部分。

或者让Docker信任我们自己生成的CA证书，类似在浏览器中导入并信任CA根证书。

生成的证书

文件名	说明
ca.crt	CA证书公钥
ca.key	CA证书密钥
harbor.crt	Harbor SSL证书公钥
harbor.key	Harbor SSL证书密钥

方法一

# 192.168.37.170为Habor hostname
mkdir -p /etc/docker/certs.d/192.168.37.170
cp ca.crt /etc/docker/certs.d/192.168.37.170

systemctl restart docker

如果Docker daemon的方法不行，则参考下面的方法在操作系统级别导入并信任我们生成的CA证书。

方法二

cp ca.crt /etc/pki/ca-trust/source/anchors

update-ca-trust extract

systemctl restart docker

注意：是ca.crt，不是harbor.crt

方法三

cp ca.crt /etc/pki/tls/certs/ca.crt

# backup ca-bundle.crt
cp -p ca-bundle.crt ca-bundle.crt.bak

cat ca.crt >> /etc/pki/tls/certs/ca-bundle.crt

systemctl restart docker

注意：是ca.crt，不是harbor.crt

参考文档

• https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
• https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
• https://github.com/moby/moby/issues/8849
• https://blog.csdn.net/hjmhz/article/details/81912315