# CentOS 安装 Harbor 并开启 HTTPS > 私有 Docker 镜像仓库 --- ## 环境 - 服务器 IP:192.168.69.128 - 系统:CentOS 7 --- ## 一、生成自签名证书 ### 1. 创建证书目录 ```bash mkdir -p /opt/cert cd /opt/cert ``` ### 2. 生成根证书 ```bash openssl req \ -newkey rsa:4096 -nodes -sha256 \ -keyout ca.key \ -x509 -days 3650 -out ca.crt \ -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=test/emailAddress=11111111@qq.com" ``` ### 3. 生成证书签名请求 ```bash openssl req \ -newkey rsa:4096 -nodes -sha256 \ -keyout harbor-registry.key \ -out harbor-registry.csr \ -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=192.168.69.128/emailAddress=11111111@qq.com" ``` ### 4. 生成证书 ```bash # 创建扩展配置文件 echo "subjectAltName = IP:192.168.69.128" > extfile.cnf # 签名 openssl x509 -req -days 365 \ -in harbor-registry.csr \ -CA ca.crt -CAkey ca.key \ -CAcreateserial \ -extfile extfile.cnf \ -out harbor-registry.crt ``` ### 5. 证书文件 ```bash ls -la /opt/cert/ # ca.crt ca.key ca.srl extfile.cnf harbor-registry.crt harbor-registry.csr harbor-registry.key ``` --- ## 二、停止现有 Harbor ```bash # 方式一:docker-compose docker-compose down -v # 方式二:强制停止 docker ps | grep -v CONTAINER | awk '{print $1}' | xargs docker stop docker ps -a | grep -v CONTAINER | awk '{print $1}' | xargs docker rm -vf ``` --- ## 三、配置 Harbor ### 1. 修改 harbor.cfg ```bash vim /root/harbor/harbor.cfg ``` 修改: ```ini hostname = 192.168.69.128 ui_url_protocol = https ssl_cert = /opt/cert/harbor-registry.crt ssl_cert_key = /opt/cert/harbor-registry.key ``` ### 2. 生成配置 ```bash cd /root/harbor ./prepare ``` --- ## 四、重启 Harbor ```bash docker-compose down docker-compose up -d ``` --- ## 五、客户端配置 ### 1. 复制证书到 Docker ```bash # 创建证书目录 mkdir -p /etc/docker/certs.d/192.168.69.128 # 复制证书 cp /opt/cert/ca.crt /etc/docker/certs.d/192.168.69.128/ # CentOS/RHEL 需要更新证书信任 cp /opt/cert/ca.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust ``` ### 2. 重启 Docker ```bash systemctl restart docker ``` --- ## 六、验证 ### 1. 浏览器访问 ``` https://192.168.69.128 ``` ### 2. Docker 登录 ```bash docker login 192.168.69.128 # 用户名:admin # 密码:Harbor12345 ``` --- ## 常用命令 ```bash # 启动/停止 docker-compose up -d docker-compose down # 查看状态 docker-compose ps # 查看日志 docker-compose logs -f ``` --- ## 常见问题 ### 1. Docker login 失败 ```bash # 确保 /etc/docker/daemon.json 中没有 insecure-registries 配置 # 如果有,移除并重启 Docker systemctl restart docker ``` ### 2. 证书不受信任 ```bash # CentOS sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust # Ubuntu sudo cp ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates ``` ### 3. 浏览器访问提示不安全 这是自签名证书的正常警告,点击"高级"→"继续访问"即可。 --- ## 简化命令汇总 ```bash # 1. 生成证书 cd /opt/cert openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=GD/L=GZ/O=test/OU=IT/CN=test" openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key -out harbor-registry.csr -subj "/C=CN/ST=GD/L=GZ/O=test/OU=IT/CN=192.168.69.128" echo "subjectAltName = IP:192.168.69.128" > extfile.cnf openssl x509 -req -days 365 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt # 2. 配置 Harbor vim /root/harbor/harbor.cfg # 修改 hostname, ui_url_protocol, ssl_cert, ssl_cert_key # 3. 重启 cd /root/harbor ./prepare docker-compose down docker-compose up -d # 4. 客户端配置 mkdir -p /etc/docker/certs.d/192.168.69.128 cp ca.crt /etc/docker/certs.d/192.168.69.128/ ```