search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.16k stars 4.76k forks source link

x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs #17502

Closed l1douhua closed 1 year ago

l1douhua commented 2 years ago

I'm having trouble logging in

nerdctl login -u admin -p Harbor12345 https://xxxx:30003 WARN[0000] WARNING! Using --password via the CLI is insecure. Use --password-stdin. ERRO[0000] failed to call tryLoginWithRegHost error="failed to call rh.Client.Do: Get \"https://xxxx:30003/v2/\": x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs" i=0 FATA[0000] failed to call rh.Client.Do: Get "https://xxxx:30003/v2/": x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs

I'm using the following version of the tool containerd 1.64 kubernetes 1.24 harbor-helm 2.3.5 chart 1.7.5

Can anyone help me with this

l1douhua commented 2 years ago

I tried the official website to configure but it doesn't seem to work for containerd

Configure HTTPS Access to Harbor https://goharbor.io/docs/2.6.0/install-config/configure-https/

l1douhua commented 2 years ago

Use this parameter when logging in to log in successfully --insecure-registry

l1douhua commented 2 years ago

But there is a new problem. The problem is that if I use it directly in the pod, I can pull the image directly, but not in the Dockerfile

nerdctl pull --insecure-registry xxxx:30003/zikayou/serverjre:v1 time="2022-09-06T11:00:27Z" level=warning msg="skipping verifying HTTPS certs for "xxxx:30003"" xxxx:30003/zikayou/serverjre:v1: resolving |�[32m�[0m--------------------------------------| elapsed: 0.1 s total: 0.0 B (0.0 B/s) xxxx:30003/zikayou/serverjre:v1: resolved |�[32m++++++++++++++++++++++++++++++++++++++�[0m| manifest-sha256:735c9e6406bc633a27735f93ae23b61b5a801d66010a3cce570938ca2331cc88: waiting |�[32m�[0m--------------------------------------| elapsed: 0.2 s total: 0.0 B (0.0 B/s)

nerdctl build --insecure-registry -t xxxx:30003/zikayou/springboot-demo:v0.0.4 . Dockerfile:1

1 | >>> FROM xxxx:30003/zikayou/serverjre:v1 2 | RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone 3 | ADD target/springboot-demo-0.0.1-SNAPSHOT.jar /springboot-demo-0.0.1-SNAPSHOT.jar

error: failed to solve: xxxx:30003/zikayou/serverjre:v1: failed to do request: Head "https://xxxx:30003/v2/zikayou/serverjre/manifests/v1": x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs time="2022-09-06T11:00:36Z" level=fatal msg="unrecognized image format"

QiuToo commented 2 years ago

这是containerd不支持自签证书的原因

chlins commented 2 years ago

Please refer to nerdctl TLS related configuration.

github-actions[bot] commented 1 year ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] commented 1 year ago

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.