Enterprise PKS + Harbor – “certificate signed by unknown authority”

• Tweet it
• Pin it
• Share it
• Email

I’ve deployed Harbor as part of my Enterprise PKS Setup through Pivotal OpsManager. Everything went smooth and I was able to login to Harbor and mess around with it after only a few minutes.
But when I wanted to start pushing images into Harbor, I had some trouble to log in through Docker CLI:

cloudborn@ubu:~$ docker login harbor.cloudborn.lab -u admin
Password:
Error response from daemon: Get https://harbor.cloudborn.lab/v2/: x509: certificate signed by unknown authority
cloudborn@ubu:~$

In order to fix this, I had to make docker trust the CA cert of Harbor.

Get the CA Cert

Depending on how you’ve configured your certificates during the Harbor installation, there are different methods to obtain the required CA cert

1. Get it from the installation page

From OpsManager –> Harbor Tile –> Settings –> Certificate

Here you will find the “Certificate Authority (CA)” certificate you might have entered during the installation. Just copy it to the Machine you need it.

Since I don’t have a proper CA in my lab, I left it empty. In this case, the OpsManager CA cert is being used (as stated in the tooltip).

• 

  https://vraccoon.com/2019/12/enterprise-pks-harbor-certificate-signed-by-unknown-authority/#aGFyYm9yX2luc3R

2. Get it from OpsManager

This only works, if you left the CA field empty (as seen before).

From OpsManager –> (1) Click on your user –> (2) Settings –> (3) Advanced Options –> (4) Download ROOT CA CERT

Again, just copy it to the Machine you need it.

• 

  https://vraccoon.com/2019/12/enterprise-pks-harbor-certificate-signed-by-unknown-authority/#b3BzbWFuX3Jvb3R

3. Get it from Harbor

This is actually the best way since it should always work. But I still wanted to show the other ways simply to create awareness where this was initially configured.

Login to Harbor UI –> (1) Administration –> (2) Configuration –> (3) Registry Root Certificate Download”

• 

  https://vraccoon.com/2019/12/enterprise-pks-harbor-certificate-signed-by-unknown-authority/#aGFyYm9yX2NvbmZ

Configure Docker

No matter how you got the Cert, now you have to copy it to (all) the machines, from where you want to login to Harbor using Docker CLI.

Next, we have to move it to /etc/docker/certs.d/<harbor.fqdn.com>/ca.crt

cloudborn@ubu:~$ sudo mkdir -p /etc/docker/certs.d/harbor.cloudborn.lab
cloudborn@ubu:~$ sudo mv ca.crt /etc/docker/certs.d/harbor.cloudborn.lab

cloudborn@ubu:~$ ls -lR /etc/docker/certs.d/
/etc/docker/certs.d/:
total 4
drwxr-xr-x 2 root root 4096 Dec 21 12:52 harbor.cloudborn.lab

/etc/docker/certs.d/harbor.cloudborn.lab:
total 4
-rw-r--r-- 1 cloudborn cloudborn 1212 Dec 20 20:36 ca.crt

The exact naming here is important, even the extension. Docker only interprets *.crt as CA certificates.
For more information, check the Docker Docs

Finally, test the login:

 cloudborn@ubu:~$ docker login harbor.cloudborn.lab -u admin
Password:
WARNING! Your password will be stored unencrypted in /home/cloudborn/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
cloudborn@ubu:~$

Looks good to me 🙂