Configuring Harbor with HTTPS Access

Because Harbor does not ship with any certificates, it uses HTTP by default to serve registry requests. However, it is highly recommended that security be enabled for any production environment. Harbor has an Nginx instance as a reverse proxy for all services, you can use the prepare script to configure Nginx to enable https.

In a test or development environment, you may choose to use a self-signed certificate instead of the one from a trusted third-party CA. The followings will show you how to create your own CA, and use your CA to sign a server certificate and a client certificate.

Getting Certificate Authority

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
  -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=yourdomain.com" \
  -key ca.key \
  -out ca.crt

Getting Server Certificate

Assuming that your registry’s hostname is yourdomain.com, and that its DNS record points to the host where you are running Harbor. In production environment, you first should get a certificate from a CA. In a test or development environment, you can use your own CA. The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key.

1) Create your own Private Key:

openssl genrsa -out yourdomain.com.key 4096

2) Generate a Certificate Signing Request:

If you use FQDN like yourdomain.com to connect your registry host, then you must use yourdomain.com as CN (Common Name).

openssl req -sha512 -new \
  -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=yourdomain.com" \
  -key yourdomain.com.key \
  -out yourdomain.com.csr

3) Generate the certificate of your registry host:

Whether you’re using FQDN like yourdomain.com or IP to connect your registry host, run this command to generate the certificate of your registry host which comply with Subject Alternative Name (SAN) and x509 v3 extension requirement:

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names

[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650 \
  -extfile v3.ext \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -in yourdomain.com.csr \
  -out yourdomain.com.crt

Configuration and Installation

1) Configure Server Certificate and Key for Harbor

After obtaining the yourdomain.com.crt and yourdomain.com.key files, you can put them into directory such as /root/cert/:

cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/

 

Leave a Reply

Your email address will not be published. Required fields are marked *