Harbor docker login x509 certificate signed by unknown authority

文章目录

  • Harbor docker login x509 certificate signed by unknown authority
    • 前言
    • 生成的证书
    • 方法一
    • 方法二
    • 方法三
    • 参考文档

Harbor docker login x509 certificate signed by unknown authority

前言

在CentOS7上用Harbor搭建好私有Docker registry并配置好HTTPS访问后,用docker login时出错:

Error response from daemon: Get https://192.168.37.170/v1/users/: x509: certificate signed by unknown authority

解决这个问题的简单方式就是仍然用insecure-registries方式,参见搭建Harbor镜像仓库 HTTP Insecure Registry的“配置Insecure Registry”部分。

或者让Docker信任我们自己生成的CA证书,类似在浏览器中导入并信任CA根证书。

生成的证书

文件名 说明
ca.crt CA证书公钥
ca.key CA证书密钥
harbor.crt Harbor SSL证书公钥
harbor.key Harbor SSL证书密钥

方法一

# 192.168.37.170为Habor hostname
mkdir -p /etc/docker/certs.d/192.168.37.170
cp ca.crt /etc/docker/certs.d/192.168.37.170

systemctl restart docker

如果Docker daemon的方法不行,则参考下面的方法在操作系统级别导入并信任我们生成的CA证书。

方法二

cp ca.crt /etc/pki/ca-trust/source/anchors

update-ca-trust extract

systemctl restart docker

注意:是ca.crt,不是harbor.crt

方法三

cp ca.crt /etc/pki/tls/certs/ca.crt

# backup ca-bundle.crt
cp -p ca-bundle.crt ca-bundle.crt.bak

cat ca.crt >> /etc/pki/tls/certs/ca-bundle.crt

systemctl restart docker

注意:是ca.crt,不是harbor.crt

参考文档

  • https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
  • https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
  • https://github.com/moby/moby/issues/8849
  • https://blog.csdn.net/hjmhz/article/details/81912315

你可能感兴趣的:(Docker,Harbor)