harbor登录报错doesn‘t contain any IP SANs问题
说明:
我这里搭建的harbor 是带https 的,即是自签的证书
1.报错:
root@ubuntu1804:~# docker login 10.0.0.164 Username: admin Password: Error response from daemon: Get https://10.0.0.164/v2/: x509: cannot validate certificate for 10.0.0.164 because it doesnt contain any IP SANs
2.解决:
2.1 猜测一: 创建证书的时候没有加IP
但是我在生成证书的时候,-subj 里面就带了ip 了 ,我这里用的不是域名,应该不用写echo subjectAltName = IP:10.30.0.163 > extfile.cnf 这个文件吧?
HOST=10.0.0.164
touch /root/.rnd
openssl genrsa -out ${HARBOR_INSTALL}/harbor/certs/${HARBOR_KEY}
openssl req -x509 -new -nodes -key ${HARBOR_INSTALL}/harbor/certs/${HARBOR_KEY} -subj "/CN=$HOST" -days 7120 -out ${HARBOR_INSTALL}/harbor/certs/${HARBOR_CRT}
后面为了检验就重新创建证书,但是发现还是报一样的
echo "1.创建私有CA: "
#一条语句实现创建私有CA和CA证书
openssl req -x509 -utf8 -newkey rsa:4096 -subj $SUBJ -keyout ${DIR}/ca.key -nodes -days $EXPIRE -out ${DIR}/ca.pem
echo "2.给服务器签发证书"
#一条语句实现创建服务器私钥和服务器证书申请文件
openssl req -utf8 -newkey rsa:4096 -nodes -keyout ${DIR}/server.key -subj "/CN=$DOMAIN_HOST" -out ${DIR}/server.csr
echo subjectAltName=DNS:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf
#ca 给服务器颁发证书
openssl x509 -req -days $EXPIRE -sha256 -in ${DIR}/server.csr -CA ${DIR}/ca.pem -CAkey ${DIR}/ca.key -CAcreateserial -out ${DIR}/server.crt -extfile /tmp/extfile.cnf
2.2 猜测二:因为harbor 是自己搭建,得在docker 的service 文件里面加个参数:
得信任10.0.0.163 ,才能往10.0.0.163 上面上传镜像 私有仓库中没有添加“–insecure-registry“导致docker login失败
root@harbor1:/apps/harbor/harbor/certs# vim /lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 10.0.0.163 --insecure-registry 10.0.0.164 root@harbor1:/apps/harbor/harbor/certs# systemctl daemon-reload root@harbor1:/apps/harbor/harbor/certs# systemctl restart docker #再登录就成功了 root@harbor1:/apps/harbor/harbor/certs# docker login 10.0.0.163 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
2.3 解决:
报错:harbor cannot validate certificate for 10.0.0.190 because it doesnt contain any IP SANs
在service 里面加不成功,可以在daemon.json 文件里面加
root@ubuntu1804:/apps/harbor/harbor/certs# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],
"insecure-registries": ["https://10.0.0.190"]
}
root@ubuntu1804:/apps/harbor/harbor/certs# vim /etc/docker/daemon.json
root@ubuntu1804:/apps/harbor/harbor/certs# systemctl restart docker
root@ubuntu1804:/apps/harbor/harbor/certs# docker login 10.0.0.190
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
下一篇:
设计模式之单例模式的四种实现