harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

I can not login to registery by self sign certificate

Open mfaridi1394 opened this issue 1 year ago • 2 comments

I install harbor on Debian Linux and generate self sign certificate with this cnf file [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = RR ST = Teh L = Teh O = Ba OU = Core CN = registery.bankid.local [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = registery2.ba.local DNS.2 = localhost IP.1 = 127.0.0.1 IP.2 = 192.168.90.140 and use these command for create certificate `sudo openssl req -out harbor_registry.csr -newkey rsa:4096 --sha512 -nodes -keyout harbor_registry.key -config harbor_certs.cnf sudo openssl x509 -in harbor_registry.csr -out harbor_registry.crt -req -signkey harbor_registry.key -days 3650 ' but when I want login from my linux desktop I see these

docker login https://192.168.90.140:8443  1 ✘  7s  Username: admin Password: INFO[0009] Error logging in to endpoint, trying next endpoint error="Get \"https://192.168.90.140:8443/v2/\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.90.140 because it doesn't contain any IP SANs" Get "https://192.168.90.140:8443/v2/": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.90.140 because it doesn't contain any IP SANs

mfaridi1394 avatar Feb 19 '24 13:02 mfaridi1394

You need to install your custom CA to the system, then restart docker daemon. Or you can set docker daemon to ignore tls and add this registry to insecure list.

reddare avatar Feb 19 '24 20:02 reddare

@mfaridi1394 , according to the description you provided above, it says because it doesn't contain any IP SANs. You may not set subjectAltName properly.

This issue comment https://github.com/goharbor/harbor/issues/18104#issuecomment-1407844551 has a script explaining to how generate the server.crt, server.key and ca.crt required for installing Harbor instance.

zyyw avatar Feb 23 '24 08:02 zyyw

@mfaridi1394 , according to the description you provided above, it says because it doesn't contain any IP SANs. You may not set subjectAltName properly.

This issue comment #18104 (comment) has a script explaining to how generate the server.crt, server.key and ca.crt required for installing Harbor instance.

I use this guide and make new certificate but I got that error again

mfaridi1394 avatar Feb 26 '24 15:02 mfaridi1394