Technotes for future me


Renew certificates

Provide the Certificates to Harbor and Docker

  1. Copy the server certificate and key into the certficates folder on your Harbor host.

    cp /data/cert/
    cp /data/cert/
  2. Convert to, for use by Docker.

    The Docker daemon interprets .crt files as CA certificates and .cert files as client certificates.

    openssl x509 -inform PEM -in -out
  3. Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.

    cp /etc/docker/certs.d/
    cp /etc/docker/certs.d/
    cp ca.crt /etc/docker/certs.d/

    If you mapped the default nginx port 443 to a different port, create the folder /etc/docker/certs.d/, or /etc/docker/certs.d/harbor_IP:port.

  4. Restart Docker Engine.

    systemctl restart docker

The following example illustrates a configuration that uses custom certificates.

       ├──  <-- Server certificate signed by CA
       ├──   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate

Deploy or Reconfigure Harbor

  1. Run the prepare script to enable HTTPS.

    Harbor uses an nginx instance as a reverse proxy for all services. You use the prepare script to configure nginx to use HTTPS. The prepare is in the Harbor installer bundle, at the same level as the script.

    ./prepare --with-notary --with-trivy --with-chartmuseum
  2. If Harbor is running, stop and remove the existing instance.
    Your image data remains in the file system, so no data is lost.

    docker-compose down -v
  3. Restart Harbor:

    docker-compose up -d

Verify the HTTPS Connection

After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps.

  • Open a browser and enter It should display the Harbor interface.

    Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning.

  • On a machine that runs the Docker daemon, check the /etc/docker/daemon.json file to make sure that the -insecure-registry option is not set for

  • Log into Harbor from the Docker client.

docker login

If you’ve mapped nginx 443 port to a different port,add the port in the login command.

docker login


Last updated on 18 Mar 2021
Published on 6 Mar 2021
Edit on GitHub