I’ve deployed Harbor as part of my Enterprise PKS Setup through Pivotal OpsManager. Everything went smooth and I was able to login to Harbor and mess around with it after only a few minutes.
But when I wanted to start pushing images into Harbor, I had some trouble to log in through Docker CLI:
cloudborn@ubu:~$ docker login harbor.cloudborn.lab -u admin Password: Error response from daemon: Get https://harbor.cloudborn.lab/v2/: x509: certificate signed by unknown authority cloudborn@ubu:~$
In order to fix this, I had to make docker trust the CA cert of Harbor.
Get the CA Cert
Depending on how you’ve configured your certificates during the Harbor installation, there are different methods to obtain the required CA cert
1. Get it from the installation page
From OpsManager –> Harbor Tile –> Settings –> Certificate
Here you will find the “Certificate Authority (CA)” certificate you might have entered during the installation. Just copy it to the Machine you need it.
Since I don’t have a proper CA in my lab, I left it empty. In this case, the OpsManager CA cert is being used (as stated in the tooltip).
2. Get it from OpsManager
This only works, if you left the CA field empty (as seen before).
From OpsManager –> (1) Click on your user –> (2) Settings –> (3) Advanced Options –> (4) Download ROOT CA CERT
Again, just copy it to the Machine you need it.
3. Get it from Harbor
This is actually the best way since it should always work. But I still wanted to show the other ways simply to create awareness where this was initially configured.
Login to Harbor UI –> (1) Administration –> (2) Configuration –> (3) Registry Root Certificate Download”
No matter how you got the Cert, now you have to copy it to (all) the machines, from where you want to login to Harbor using Docker CLI.
Next, we have to move it to /etc/docker/certs.d/<harbor.fqdn.com>/ca.crt
cloudborn@ubu:~$ sudo mkdir -p /etc/docker/certs.d/harbor.cloudborn.lab cloudborn@ubu:~$ sudo mv ca.crt /etc/docker/certs.d/harbor.cloudborn.lab cloudborn@ubu:~$ ls -lR /etc/docker/certs.d/ /etc/docker/certs.d/: total 4 drwxr-xr-x 2 root root 4096 Dec 21 12:52 harbor.cloudborn.lab /etc/docker/certs.d/harbor.cloudborn.lab: total 4 -rw-r--r-- 1 cloudborn cloudborn 1212 Dec 20 20:36 ca.crt
The exact naming here is important, even the extension. Docker only interprets *.crt as CA certificates.
For more information, check the Docker Docs
Finally, test the login:
cloudborn@ubu:~$ docker login harbor.cloudborn.lab -u admin Password: WARNING! Your password will be stored unencrypted in /home/cloudborn/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded cloudborn@ubu:~$
Looks good to me 🙂