应原来小伙伴的要求,生产环境出错了,是harbor的ssl cert过期了,也因为使用的是免费的ssl证书,现在无法正常使用harbor,所以贴来了2023年1月曾经搭建的文档,希望能解决问题。^v^.
-------------------------------------------------------------------------------------------------------------------------------
以下是历史正文记录:
最近发现其中一个域名的证书到期了,无赖,现在行情不好,所以没准备续费购买商用版的证书,自己搭建把。好几个ssl证书都颁发使用(如下域名服务),域名为阿里购买的,所以原来的证书也是阿里的。
写个docs,就是update harbor的ssh crt把。
0、登录:https://harbortest.ihlt.com即出现以下界面,配置了ssl证书想通过IP也访问不了!
登录aliyun申请免费的证书把,需要购买证书服务,用了公司的企业账号,一次性可以免费申请20个,但是并非是根证书哦。截图记录把。
这里我看了harbor原来的证书格式为crt,密钥为key
所以我下载了对应的nginx的
应该harbor的证书也是通过nginx来写的
harbor@uat-harbor01:~$ sudo -i
[sudo] password for harbor:
root@uat-harbor01:~# cd /root/harbor/
root@uat-harbor01:~/harbor# ls
common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
root@uat-harbor01:~/harbor# ls
common common.sh docker-compose.yml harbor.v2.6.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare
root@uat-harbor01:~/harbor# cd /data/cert/
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt harbortest.ihlt.com.key
root@uat-harbor01:/data/cert#
root@uat-harbor01:~/harbor# cat harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbortest.ihlt.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/harbortest.ihlt.com.crt
private_key: /data/cert/harbortest.ihlt.com.key
依次操作如下图,
2、更新证书:
把下载的证书拷贝到对应的目录
通过finnalshell的sftp来直接拉传
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt harbortest.ihlt.com.key
root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.crt harbortest.ihlt.com.crt0
root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.key harbortest.ihlt.com.key0
root@uat-harbor01:/data/cert# mv /tmp/harbortest.ihlt.com.* ./
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem
root@uat-harbor01:/data/cert# ls -al
total 24
drwxr-xr-x 2 root root 4096 Sep 1 09:19 .
drwxr-xr-x 4 root root 4096 Oct 11 2022 ..
-rw-r--r-- 1 harbor harbor 3805 Oct 11 2022 harbortest.ihlt.com.crt0
-rw-rw-r-- 1 harbor harbor 1675 Sep 1 09:13 harbortest.ihlt.com.key
-rw-r--r-- 1 harbor harbor 1675 Oct 11 2022 harbortest.ihlt.com.key0
-rw-rw-r-- 1 harbor harbor 3813 Sep 1 09:13 harbortest.ihlt.com.pem
root@uat-harbor01:/data/cert#
3、重启harbor
停止docker-compose down
重新执行./prepare
启动docker-compose up -d
root@uat-harbor01:~/harbor# ./prepare
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Traceback (most recent call last):
File "/usr/src/app/main.py", line 15, in <module>
cli()
File "/usr/lib/python3.10/site-packages/click/core.py", line 1137, in __call__
return self.main(*args, **kwargs)
File "/usr/lib/python3.10/site-packages/click/core.py", line 1062, in main
rv = self.invoke(ctx)
File "/usr/lib/python3.10/site-packages/click/core.py", line 1668, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3.10/site-packages/click/core.py", line 763, in invoke
return __callback(*args, **kwargs)
File "/usr/src/app/commands/prepare.py", line 47, in prepare
prepare_nginx(config_dict)
File "/usr/src/app/utils/nginx.py", line 23, in prepare_nginx
render_nginx_template(config_dict)
File "/usr/src/app/utils/nginx.py", line 56, in render_nginx_template
prepare_nginx_certs(config_dict['cert_key_path'], config_dict['cert_path'])
File "/usr/src/app/utils/nginx.py", line 43, in prepare_nginx_certs
shutil.copy2(host_ngx_cert_path, real_crt_path)
File "/usr/lib/python3.10/shutil.py", line 434, in copy2
copyfile(src, dst, follow_symlinks=follow_symlinks)
File "/usr/lib/python3.10/shutil.py", line 254, in copyfile
with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: '/hostfs/data/cert/harbortest.ihlt.com.crt'
//马虎,提示没有这个文件,所以去看了下,忘记了上面的harbor.yml的crt而不是拷贝进来的pem,所以进入目录可以直接修改即可。
root@uat-harbor01:~/harbor# cd /data/cert/
root@uat-harbor01:/data/cert# ls
harbortest.ihlt.com.crt0 harbortest.ihlt.com.key harbortest.ihlt.com.key0 harbortest.ihlt.com.pem
root@uat-harbor01:/data/cert# mv harbortest.ihlt.com.pem harbortest.ihlt.com.crt
root@uat-harbor01:~/harbor# ./prepare
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
root@uat-harbor01:~/harbor# docker-compose up -d
[+] Running 10/10
⠿ Network harbor_harbor Created 0.2s
⠿ Container harbor-log Started 0.8s
⠿ Container registryctl Started 1.4s
⠿ Container harbor-portal Started 1.7s
⠿ Container redis Started 1.8s
⠿ Container registry Started 1.7s
⠿ Container harbor-db Started 1.3s
⠿ Container harbor-core Started 1.9s
⠿ Container nginx Started 2.3s
⠿ Container harbor-jobservice Started 2.2s
root@uat-harbor01:~/harbor#
再次访问:恢复正常了!
nginx更新证书-2023/10/19
公司的holitech.net的证书过期了,阿里云上购买了根证书。首先上传服务,然后替换对应的路径,可以查看nginx.conf的配置:路径,然后必须重启nginx服务。后端测试OK。。。。!
| [root@k8s-ng2 paas]# scp holitech.net.* root@10.6.200.223:/root/ ssh: connect to host 10.6.200.223 port 22: Connection refused lost connection [root@k8s-ng2 paas]# scp holitech.net.* root@10.0.200.223:/data/cert root@10.0.200.223's password: holitech.net.key 100% 1679 18.3KB/s 00:00 holitech.net.pem 100% 3822 987.3KB/s 00:00 [root@k8s-ng1 data]# cd cert/ [root@k8s-ng1 cert]# ls 8631154__holitech.net.key holitech.net.key 8631154__holitech.net.pem holitech.net.pem [root@k8s-ng1 cert]# mv holitech.net.key 8631154__holitech.net.key mv:是否覆盖"8631154__holitech.net.key"? y [root@k8s-ng1 cert]# mv holitech.net.pem 8631154__holitech.net.pem mv:是否覆盖"8631154__holitech.net.pem"? y [root@k8s-ng1 cert]# whereis ngix ngix:[root@k8s-ng1 cert]# whereis nginx nginx: /usr/local/nginx [root@k8s-ng1 cert]# cd /usr/local/nginx/ [root@k8s-ng1 nginx]# ls client_body_temp fastcgi_temp logs sbin uwsgi_temp conf html proxy_temp scgi_temp [root@k8s-ng1 nginx]# cd sbin/ [root@k8s-ng1 sbin]# ls nginx [root@k8s-ng1 sbin]# ./nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@k8s-ng1 sbin]# systemctl restart nginx [root@k8s-ng2 paas]# systemctl restart nginx |
--------------------------------------------------------------------------------------------------------
crt证书信息:
Harbor.ihlt.com_chain的证书
详细信息如下:
版本 :V3
序列号:0de0ffb5ee62cb61109f608c9ced5ed3
签名算法: sha256RSA
签名哈希算法: sha256
颁发者:
CN = DigiCert Global Root G2
OU = www.digicert.com
O = DigiCert Inc
C = US
有效期从: Monday, November 27, 2017 8:46:40 PM
到: Saturday, November 27, 2027 8:46:40 PM
使用者:
CN = Encryption Everywhere DV TLS CA - G2
OU = www.digicert.com
O = DigiCert Inc
C = US
公钥:
30 82 01 0a 02 82 01 01 00 ef 14 7f 8e a2 fe 7a fb a6 48 13 0e a9 c4 79 22 1f 08 5a af 3e 75 2a dd a1 75 b4 c2 79 86 1f 4c 9c ee 8b 9a de 54 74 77 c1 1b 00 bd 4a 2f 97 8c ad 76 72 36 60 c4 e6 ec 2f a4 60 d6 78 ef 36 10 0c 27 82 6e 9c dd 09 18 64 49 19 27 af 6c 9b 00 de c7 3a f2 76 cf 43 3b 8a a7 92 5c f2 fa 6b ca 9d a6 b6 cd fc a5 20 97 a2 b3 d1 fa c7 21 42 2b 0a 03 b3 92 43 53 23 70 53 74 77 bb 5b ad c7 96 14 d6 f3 80 bd 9c b0 95 50 7a 88 0e 04 64 9e fc a6 44 21 9c 3a 81 72 ca 78 57 bb 9a ea 67 35 82 51 3a 2d a2 0b 5d 7e 1e e1 7b f6 20 2d b4 c7 37 d8 2b fa 50 ec 62 c5 8f f7 65 5f 8b ce 92 e7 92 51 6a f7 c5 ce 46 0c 24 20 92 f5 1e eb cf 85 af 32 bd bf 96 e8 98 ac 95 92 4b f8 72 c5 b6 27 68 c6 62 3b 42 6d d9 c8 85 7a e9 6e 77 dc 3b 06 16 29 85 26 4c f7 cb 41 9e 1d 6b 92 54 c6 c8 95 fb 02 03 01 00 01
公钥参数: 05 00
使用者密钥标识符:78df91905feedeacf6c575ebd54c5553ef244ab6
授权密钥标识符: KeyID=4e2254201895e6e36ee60ffafab912ed06178f39
增强型密钥用法:
服务器身份验证 (1.3.6.1.5.5.7.3.1)
客户端身份验证 (1.3.6.1.5.5.7.3.2)
授权信息访问:
[1]Authority Info Access
Access Method=联机证书状态协议 (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.digicert.com
CRL分发点:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl3.digicert.com/DigiCertGlobalRootG2.crl
证书策略:
[1]Certificate Policy:
Policy Identifier=2.16.840.1.114412.1.2
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
Legal Repository | DigiCert.com
[2]Certificate Policy:
Policy Identifier=2.23.140.1.2.1
密钥用法: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
基本约束:
Subject Type=CA
Path Length Constraint=0
指纹: ed6302684a3259aa04f10fe9a97a8fd30b965d26
常规信息:
颁发给: Encryption Everywhere DV TLS CA - G2
颁发者: DigiCert Global Root G2
Harbor.ihlt.com_public的证书
常规信息:
颁发给: harbor.ihlt.com
颁发者: Encryption Everywhere DV TLS CA - G2
