Harbor
Renew certificates
Provide the Certificates to Harbor and Docker
Copy the server certificate and key into the certficates folder on your Harbor host.
cp yourdomain.com.crt /data/cert/ cp yourdomain.com.key /data/cert/
Convert yourdomain.com.crt to yourdomain.com.cert, for use by Docker.
The Docker daemon interprets .crt files as CA certificates and .cert files as client certificates.
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/ cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/ cp ca.crt /etc/docker/certs.d/yourdomain.com/
If you mapped the default
nginx
port 443 to a different port, create the folder/etc/docker/certs.d/yourdomain.com:port
, or/etc/docker/certs.d/harbor_IP:port
.Restart Docker Engine.
systemctl restart docker
The following example illustrates a configuration that uses custom certificates.
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
Deploy or Reconfigure Harbor
Run the
prepare
script to enable HTTPS.Harbor uses an
nginx
instance as a reverse proxy for all services. You use theprepare
script to configurenginx
to use HTTPS. Theprepare
is in the Harbor installer bundle, at the same level as theinstall.sh
script../prepare --with-notary --with-trivy --with-chartmuseum
If Harbor is running, stop and remove the existing instance.
Your image data remains in the file system, so no data is lost.docker-compose down -v
Restart Harbor:
docker-compose up -d
Verify the HTTPS Connection
After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps.
Open a browser and enter https://yourdomain.com. It should display the Harbor interface.
Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning.
On a machine that runs the Docker daemon, check the
/etc/docker/daemon.json
file to make sure that the-insecure-registry
option is not set for https://yourdomain.com.Log into Harbor from the Docker client.
docker login yourdomain.com
If you’ve mapped nginx
443 port to a different port,add the port in the login command.
docker login yourdomain.com:port
source: https://goharbor.io/docs/2.1.0/install-config/configure-https/