Trouble With SSL Cert

[herter4171]

I'm working with a Harbor registry that was set up by a third-party contractor just before my arrival. The SSL certificate from GoDaddy expired a while ago, and I got to find out about it when my coworker couldn't pull images.

Anyway, the root of my problem is how to generate a CSR with all of the right stuff to make Harbor and Docker happy. The IT manager and I did our own CSR, but we didn't capture the x509 aspect and a few other things. The cert works fine with the web UI, but when trying to interact with Harbor through the Docker CLI, our current error is

x509: certificate signed by unknown authority

In looking at your docs at step 3 under "Generate a Server Certificate," we were missing the contents of that file. The file I generated based on those instructions is as follows.

[req]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[alt_names]
DNS.1=REDACTED

It had to have [req] and distinguished_name to not exit without error when generating a CSR, and naturally, the next step was running the following command to generate a CSR.

openssl req -sha512 -new -key harbor.key -out harbor.csr -config v3.ext -subj "REDACTED"

My basis for the -config v3.ext argument is from the second to last line here, and we also can't ask GoDaddy to use the -extfile v3.ext argument when singing the cert.

Anyway, the newly rekeyed cert from GoDaddy still gives the same x509 error, so I'm just kind of at a loss. Could I get some direction as to how I can properly generate a CSR for this context? Our alternative is paying like $6k for the original contractor to fix this mess that arose from their patchy docs.

[herter4171]

Nevermind. Figured out I need to put my *.crt and cert bundle in the same file. D'oh.