Is there any alternative method when remote certifacate verifing use self-signed CA?

[jahen]

I have deployed two harbor registry for testing: harbor1 at IP 35.243.92.40 and harbor2 at IP 34.80.154.130.

For each harbor registry, I have configure HTTPS using self-signed CA, as below, and docker login 34.80.154.130 is ok now.

I configured harbo2 in harbor1's registries management, as below.

I know it says the self-signed certificate is not sutiable for it, but security of verifying before replication is very important in my distributed application scenario.

In my opinion, the self-signed certificate may be not untrustworthy to other people, but it should be trustworthy to each self-controllable harbor registry. So, Is there any alternative method when remote certifacate verifing use self-signed CA?

[jahen]

In my practice, I configure the self-signed CA into system Ubuntu 18.10 of each harbor registry.  I found a confusing point of '400 bad request', as below. 

I think it maybe an internal mistake, maybe at nginx or other place.

and it's ok without remote certificate verify.

I have done these steps:

1. I use the online installer approach to install harbor on each node and configure HTTPS.

In the progress, I genrate a common self-signed CA ca.key and ca.crt for generating server certificate for harbor HTTPS configuration.

openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \

    -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Harmonycloud/OU=Edgecompute/CN=35.243.92.40" \

    -key ca.key \

    -out ca.crt

2. Then follow the guide https://github.com/goharbor/harbor/blob/master/docs/configure_https.md, I configure HTTPS for each harbor: harbor1(35.243.92.40) and harbor2(34.80.154.130).

for harbor1(35.243.92.40):

# 1) Create your own Private Key:
openssl genrsa -out 35.243.92.40.key 4096

# 2) Generate a Certificate Signing Request:

openssl req -sha512 -new \

    -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Harmonycloud/OU=Edgecompute/CN=35.243.92.40" \

    -key 35.243.92.40.key \

    -out 35.243.92.40.csr

# 3) Generate the certificate of registry host:

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth 

subjectAltName = @alt_names

[alt_names]

IP.1=35.243.92.40

EOF

openssl x509 -req -sha512 -days 3650 \

    -extfile v3.ext \

    -CA ca.crt -CAkey ca.key -CAcreateserial \

    -in 35.243.92.40.csr \

    -out 35.243.92.40.crt

# 4) Configure Server Certificate and Key for Harbor

sudo mkdir -p /data/cert/

sudo cp 35.243.92.40.crt /data/cert/

sudo cp 35.243.92.40.key /data/cert/ 

# 5) Configure Server Certificate, Key and CA for Docker

openssl x509 -inform PEM -in 35.243.92.40.crt -out 35.243.92.40.cert

sudo mkdir -p /etc/docker/certs.d/35.243.92.40:443/

sudo cp 35.243.92.40.cert /etc/docker/certs.d/35.243.92.40:443/

sudo cp 35.243.92.40.key /etc/docker/certs.d/35.243.92.40:443/

sudo cp ca.crt /etc/docker/certs.d/35.243.92.40:443/

# 6) Configure Harbor
vim harbor.yml

# modify hostname: 35.243.92.40

# comment http

# uncomment https

# certificate: /data/cert/35.243.92.40.crt

# private_key: /data/cert/35.243.92.40.key

# Generate configuration files for Harbor
./prepare

# 7) restart docker

sudo systemctl daemon-reload

sudo systemctl restart docker

# 8) put self-singed CA in system
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt

sudo cp 35.243.92.40.crt /usr/local/share/ca-certificates/35.243.92.40.crt

sudo update-ca-certificates

# 9) setup
docker-compose up -d

it is the same for harbor2(34.80.154.130).

3. Add harbor2's server CA into harbor1's system, and add harbor1's server CA into harbor2's system.

for harbor1(35.243.92.40):

sudo mkdir -p /etc/docker/certs.d/34.80.154.130:443/

sudo cp 34.80.154.130.cert /etc/docker/certs.d/34.80.154.130:443/

sudo cp 34.80.154.130.key /etc/docker/certs.d/34.80.154.130:443/
sudo cp ca.crt /etc/docker/certs.d/34.80.154.130:443/

sudo cp 34.80.154.130.crt /usr/local/share/ca-certificates/34.80.154.130.crt

sudo update-ca-certificates

sudo docker-compose down -v
sudo docker-compose up -d

sudo systemctl daemon-reload

sudo systemctl restart docker

sudo docker login 34.80.154.130 #OK

it is the same for harbor2(34.80.154.130).

4. This is the key step, in Web UI operation it occur an 400. I don't know why.

Not a 401 Unauthorized, nor 403 Forbidden. 

My Question is :

1. Whether it is feasible for using self-signed CA in remote certifacate verify?

2. Why it occur a 400 bad request in picture above.

[jahen]

I new an issue https://github.com/goharbor/harbor/issues/7896 on github.