While attempting to build a clone of a Harbor Registry Installation for testing an upgrade/migration, my new Debian 12 Docker installation was reporting Error response from daemon: Get "https://registry.local/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority which was stopping me from logging in and performing any push/pull of images.
The following steps worked for me, the issue will be the CA crt, but have included the other harbor lines...
CA & Harbor Certificates
https://goharbor.io/docs/2.0.0/install-config/configure-https/
- mkdir /opt/harbor/certs
- cd /opt/harbor/certs
- openssl genrsa -out ca.key 4096
- openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=London/L=London/O=myCompany/OU=Registry/CN=registry.local" -key ca.key -out ca.crt
- openssl genrsa -out registry.local.key 4096
- openssl req -sha512 -new -subj "/C=CN/ST=London/L=London/O=myCompany/OU=Registry/CN=registry.local" -key registry.local.key -out registry.local.csr
- cat > v3.ext
Related Articles
authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @alt_names[alt_names]DNS.1=registry.localEOF
- openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in registry.local.csr -out registry.local.crt
- openssl x509 -inform PEM -in registry.local.crt -out registry.local.cert
- cd /etc/docker/certs.d/registry.local\:443/
- Remove any existing certificate / keys from the folder.
- cd /opt/harbor/certs
- cp registry.local.cert /etc/docker/certs.d/registry.local\:443/
- cp registry.local.key /etc/docker/certs.d/registry.local\:443/
- cp ca.crt /etc/docker/certs.d/registry.local\:443/
Update CA Certificates
https://stackoverflow.com/questions/50768317/docker-pull-certificate-signed-by-unknown-authority
- Save the cert to the file , like the command above (the port is crucial, no need for the protocol)Copy from above which will be in /etc/docker/certs.d/
: /ca.crt - copy it to /usr/local/share/ca-certificates/: sudo cp ca.crt /usr/local/share/ca-certificates/
- run update-ca-certificatessudo update-ca-certificates
Apply new certs:
- cd /opt/registry/harbor/
- ./prepare --with-trivy --with-clair
Update Docker Daemon to add an insecure registry (i.e. self signed).
- vi /etc/docker/daemon.json
{"insecure-registries" : ["registry.local:443"]}
Restart Docker
- systemctl restart docker
Check CERT Valid dates update in browser and check PEM matches...
- openssl s_client -showcerts -connect registry.local:443
- cat /opt/registry/certs/registry.local.cert
- Certificates should match.
Docker Login
- docker login registry.local
This post first appeared on Computers And Programming Experiences, please read the originial post: here
