Provide the Certificates to Harbor and Docker
Copy the server certificate and key into the certficates folder on your Harbor host.
cp yourdomain.com.crt /data/cert/ cp yourdomain.com.key /data/cert/
Convert yourdomain.com.crt to yourdomain.com.cert, for use by Docker.
The Docker daemon interprets .crt files as CA certificates and .cert files as client certificates.
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/ cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/ cp ca.crt /etc/docker/certs.d/yourdomain.com/
If you mapped the default
nginxport 443 to a different port, create the folder
Restart Docker Engine.
systemctl restart docker
The following example illustrates a configuration that uses custom certificates.
/etc/docker/certs.d/ └── yourdomain.com:port ├── yourdomain.com.cert <-- Server certificate signed by CA ├── yourdomain.com.key <-- Server key signed by CA └── ca.crt <-- Certificate authority that signed the registry certificate
Deploy or Reconfigure Harbor
preparescript to enable HTTPS.
Harbor uses an
nginxinstance as a reverse proxy for all services. You use the
preparescript to configure
nginxto use HTTPS. The
prepareis in the Harbor installer bundle, at the same level as the
./prepare --with-notary --with-trivy --with-chartmuseum
If Harbor is running, stop and remove the existing instance.
Your image data remains in the file system, so no data is lost.
docker-compose down -v
docker-compose up -d
Verify the HTTPS Connection
After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps.
Open a browser and enter https://yourdomain.com. It should display the Harbor interface.
Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning.
On a machine that runs the Docker daemon, check the
/etc/docker/daemon.jsonfile to make sure that the
-insecure-registryoption is not set for https://yourdomain.com.
Log into Harbor from the Docker client.
docker login yourdomain.com
If you’ve mapped
nginx 443 port to a different port,add the port in the login command.
docker login yourdomain.com:port