Is there any alternative method when remote certifacate verifing use self-signed CA?

14 views
Skip to first unread message

jahen

unread,
May 24, 2019, 7:12:24 AM5/24/19
to harbor-dev
I have deployed two harbor registry for testing: harbor1 at IP 35.243.92.40 and harbor2 at IP 34.80.154.130.

For each harbor registry, I have configure HTTPS using self-signed CA, as below, and docker login 34.80.154.130 is ok now.


I configured harbo2 in harbor1's registries management, as below.

I know it says the self-signed certificate is not sutiable for it, but security of verifying before replication is very important in my distributed application scenario.

In my opinion, the self-signed certificate may be not untrustworthy to other people, but it should be trustworthy to each self-controllable harbor registry. So, Is there any alternative method when remote certifacate verifing use self-signed CA?

jahen

unread,
May 24, 2019, 7:55:10 AM5/24/19
to harbor-dev
In my practice, I configure the self-signed CA into system Ubuntu 18.10 of each harbor registry.  I found a confusing point of '400 bad request', as below. 
I think it maybe an internal mistake, maybe at nginx or other place.

and it's ok without remote certificate verify.



I have done these steps:
1. I use the online installer approach to install harbor on each node and configure HTTPS.
In the progress, I genrate a common self-signed CA ca.key and ca.crt for generating server certificate for harbor HTTPS configuration.
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Harmonycloud/OU=Edgecompute/CN=35.243.92.40" \
    -key ca.key \
    -out ca.crt

2. Then follow the guide https://github.com/goharbor/harbor/blob/master/docs/configure_https.md, I configure HTTPS for each harbor: harbor1(35.243.92.40) and harbor2(34.80.154.130).
for harbor1(35.243.92.40):
# 1) Create your own Private Key:
openssl genrsa -out 35.243.92.40.key 4096

# 2) Generate a Certificate Signing Request:
openssl req -sha512 -new \
    -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Harmonycloud/OU=Edgecompute/CN=35.243.92.40" \
    -key 35.243.92.40.key \
    -out 35.243.92.40.csr

# 3) Generate the certificate of registry host:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names

[alt_names]
IP.1=35.243.92.40
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in 35.243.92.40.csr \
    -out 35.243.92.40.crt

# 4) Configure Server Certificate and Key for Harbor
sudo mkdir -p /data/cert/
sudo cp 35.243.92.40.crt /data/cert/
sudo cp 35.243.92.40.key /data/cert/ 

# 5) Configure Server Certificate, Key and CA for Docker
openssl x509 -inform PEM -in 35.243.92.40.crt -out 35.243.92.40.cert

sudo mkdir -p /etc/docker/certs.d/35.243.92.40:443/
sudo cp 35.243.92.40.cert /etc/docker/certs.d/35.243.92.40:443/
sudo cp 35.243.92.40.key /etc/docker/certs.d/35.243.92.40:443/
sudo cp ca.crt /etc/docker/certs.d/35.243.92.40:443/

# 6) Configure Harbor
vim harbor.yml
# modify hostname: 35.243.92.40
# comment http
# uncomment https
# certificate: /data/cert/35.243.92.40.crt
# private_key: /data/cert/35.243.92.40.key

# Generate configuration files for Harbor
./prepare

# 7) restart docker
sudo systemctl daemon-reload
sudo systemctl restart docker

# 8) put self-singed CA in system
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
sudo cp 35.243.92.40.crt /usr/local/share/ca-certificates/35.243.92.40.crt
sudo update-ca-certificates

# 9) setup
docker-compose up -d
it is the same for harbor2(34.80.154.130).

3. Add harbor2's server CA into harbor1's system, and add harbor1's server CA into harbor2's system.
for harbor1(35.243.92.40):
sudo mkdir -p /etc/docker/certs.d/34.80.154.130:443/
sudo cp 34.80.154.130.cert /etc/docker/certs.d/34.80.154.130:443/
sudo cp 34.80.154.130.key /etc/docker/certs.d/34.80.154.130:443/
sudo cp ca.crt /etc/docker/certs.d/34.80.154.130:443/

sudo cp 34.80.154.130.crt /usr/local/share/ca-certificates/34.80.154.130.crt
sudo update-ca-certificates

sudo docker-compose down -v
sudo docker-compose up -d

sudo systemctl daemon-reload
sudo systemctl restart docker

sudo docker login 34.80.154.130 #OK
it is the same for harbor2(34.80.154.130).

4. This is the key step, in Web UI operation it occur an 400. I don't know why.
Not a 401 Unauthorized, nor 403 Forbidden. 

My Question is :
1. Whether it is feasible for using self-signed CA in remote certifacate verify?
2. Why it occur a 400 bad request in picture above.


jahen

unread,
May 24, 2019, 8:12:26 AM5/24/19
to harbor-dev
Reply all
Reply to author
Forward
0 new messages