harbor自签名证书后无法pull镜像

harbor配置了自签名的https证书后,docker pull镜像时提示509证书不受信,提示如下错误

1
2
[root@k8s-03 ~]# docker pull harbor.nnv5.cn/test/myapp:v1
Error response from daemon: Get https://harbor.nnv5.cn/v2/: x509: certificate signed by unknown authority

可是我明明将自签名的ca导入到了curl的证书文件中/etc/pki/tls/certs/ca-bundle.crt,使用curl访问正常。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@localhost ~]# curl -v https://harbor.nnv5.cn
* About to connect() to harbor.nnv5.cn port 443 (#0)
*   Trying 172.23.2.83...
* Connected to harbor.nnv5.cn (172.23.2.83) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=*.nnv5.cn
* 	start date: 3月 02 06:44:00 2021 GMT
* 	expire date: 7月 18 06:44:00 2048 GMT
* 	common name: *.nnv5.cn
* 	issuer: CN=MyCompany CA
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: harbor.nnv5.cn
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 03 Mar 2021 11:04:24 GMT
< Content-Type: text/html
< Content-Length: 856
< Connection: keep-alive
< Last-Modified: Wed, 16 Sep 2020 02:45:15 GMT
< ETag: "5f617c3b-358"
< Cache-Control: no-store, no-cache, must-revalidate
< Accept-Ranges: bytes

原因是docker有自己的受信CA存放地址/etc/docker/certs.d/${私有仓库域名}:${私有仓库端口}/ca.crt

我的harbor使用的地址是https://habor.nnv5.cn,没有目录我们就手动创建目录

1
[root@k8s-03 ~]# mkdir -p /etc/docker/certs.d/harbor.nnv5.cn

将私有的ca.crt复制一份到这个目录,重新dokcer pull镜像即可成功。

1
2
[root@k8s-03 ~]# ls /etc/docker/certs.d/harbor.nnv5.cn
ca.crt

通过上述创建docker的证书目录后只能解决docker访问此域名的证书问题
如果想服务器上任何服务访问此域名都不会出现证书问题时,就将自签名证书导入服务器的ca中,操作如下

1
2
3
4
5
6
7
# Centos导入自签证书
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust 

# Ubuntu
cp ca.crt /usr/local/share/ca-certificates/
update-ca-certificates