harbor自签名证书后无法pull镜像 harbor配置了自签名的https证书后,docker pull镜像时提示509证书不受信,提示如下错误
1 2 [root@k8s-03 ~] Error response from daemon: Get https://harbor.nnv5.cn/v2/: x509: certificate signed by unknown authority
可是我明明将自签名的ca导入到了curl的证书文件中/etc/pki/tls/certs/ca-bundle.crt
,使用curl访问正常。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 [root@localhost ~] * About to connect() to harbor.nnv5.cn port 443 ( * Trying 172.23.2.83... * Connected to harbor.nnv5.cn (172.23.2.83) port 443 ( * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.nnv5.cn * start date : 3月 02 06:44:00 2021 GMT * expire date : 7月 18 06:44:00 2048 GMT * common name: *.nnv5.cn * issuer: CN=MyCompany CA > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: harbor.nnv5.cn > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 03 Mar 2021 11:04:24 GMT < Content-Type: text/html < Content-Length: 856 < Connection: keep-alive < Last-Modified: Wed, 16 Sep 2020 02:45:15 GMT < ETag: "5f617c3b-358" < Cache-Control: no-store, no-cache, must-revalidate < Accept-Ranges: bytes
原因是docker有自己的受信CA
存放地址/etc/docker/certs.d/${私有仓库域名}:${私有仓库端口}/ca.crt
我的harbor使用的地址是https://habor.nnv5.cn,没有目录我们就手动创建目录
将私有的ca.crt复制一份到这个目录,重新dokcer pull镜像即可成功。
通过上述创建docker的证书目录后只能解决docker访问此域名的证书问题 如果想服务器上任何服务访问此域名都不会出现证书问题时,就将自签名证书导入服务器的ca中,操作如下
1 2 3 4 5 6 7 # Centos导入自签证书 cp ca.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust # Ubuntu cp ca.crt /usr/local/share/ca-certificates/ update-ca-certificates