containerd配置自签证书Harbor报错x509: certificate signed by unknown authority

原创
2023/12/21 09:20
阅读数 44

    错误信息:

root@workstation-alg-test:/etc/containerd# ctr images pull ecr.harbor.com/lift/lift-baseapi-system:dev_6
INFO[0000] trying next host                              error="failed to do request: Head \"https://ecr.harbor.com/v2/lift/lift-baseapi-system/manifests/dev_6\": x509: certificate signed by unknown authority" host=ecr.harbor.com
ctr: failed to resolve reference "ecr.harbor.com/lift/lift-baseapi-system:dev_6": failed to do request: Head "https://ecr.harbor.com/v2/lift/lift-baseapi-system/manifests/dev_6": x509: certificate signed by unknown authority

    无效的解决办法:

containerd config default > /etc/containerd/config.toml
vim /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri".registry]
  config_path = ""

  [plugins."io.containerd.grpc.v1.cri".registry.auths]
  [plugins."io.containerd.grpc.v1.cri".registry.configs]
      
    [plugins."io.containerd.grpc.v1.cri".registry.configs."ecr.harbor.com".tls]####harbor仓库的地址(ip/域名+端口)
      insecure_skip_verify = true  ###跳过认证(如果不配置,需要使用harbor证书)
      ################
      ca_file = "/etc/containerd/certs.d/ecr.harbor.com/ca.crt" #ca证书
      cert_file = "/etc/containerd/certs.d/ecr.harbor.com/ecr.harbor.com.cert" #harbor证书
      key_file = "/etc/containerd/certs.d/ecr.harbor.com/ecr.harbor.com.key" #密钥
      
    [plugins."io.containerd.grpc.v1.cri".registry.configs."ecr.harbor.com".auth]####harbor仓库的地址(ip/域名+端口)
      username = "admin"   ###harbor的登录用户名
      password = "Harbor12345"   ###harbor的登录密码

  [plugins."io.containerd.grpc.v1.cri".registry.headers]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."ecr.harbor.com"]####harbor仓库的地址(ip/域名+端口)
      endpoint = ["http://ecr.harbor.com:443"] ###harbor仓库的地址


systemctl daemon-reload && systemctl restart containerd.service

    有效的决绝办法:

        1、如果可以修改命令,可使用如下命令:

#ctr命令增加 -k参数
ctr images pull -k ecr.harbor.com/lift/lift-baseapi-system:dev_6
#nerdctl命令增加 --insecure-registry参数
nerdctl  login ecr.harbor.com:443 -u admin -p Harbor123  --insecure-registry

        1、如果不能修改命令,就准备harbor的ca证书:ca.crt,然后Ubuntu 和 Debian 派生发行版执行

sudo cp ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

    CentOS、Fedora、RedHat 发行版执行:

cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust

    执行完后,重启机器(重启服务可能会不生效,不如直接reboot),就可以正常使用Harbor了。

展开阅读全文
加载中
点击引领话题📣 发布并加入讨论🔥
0 评论
0 收藏
0
分享
返回顶部
顶部