While attempting to build a clone of a Harbor Registry Installation for testing an upgrade/migration, my new Debian 12 Docker installation was reporting Error response from daemon: Get "https://registry.local/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority which was stopping me from logging in and performing any push/pull of images.

The following steps worked for me, the issue will be the CA crt, but have included the other harbor lines...

CA & Harbor Certificates

  • mkdir /opt/harbor/certs
  • cd /opt/harbor/certs
  • openssl genrsa -out ca.key 4096
  • openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=London/L=London/O=myCompany/OU=Registry/CN=registry.local"  -key ca.key  -out ca.crt
  • openssl genrsa -out registry.local.key 4096
  • openssl req -sha512 -new -subj  "/C=CN/ST=London/L=London/O=myCompany/OU=Registry/CN=registry.local" -key registry.local.key -out registry.local.csr
  • cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=registry.local
EOF
  • openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in registry.local.csr -out registry.local.crt
  • openssl x509 -inform PEM -in registry.local.crt -out registry.local.cert
  • cd /etc/docker/certs.d/registry.local\:443/
  • Remove any existing certificate / keys from the folder.
  • cd /opt/harbor/certs
  • cp registry.local.cert /etc/docker/certs.d/registry.local\:443/
  • cp registry.local.key /etc/docker/certs.d/registry.local\:443/
  • cp ca.crt /etc/docker/certs.d/registry.local\:443/

Update CA Certificates

  • Save the cert to the file , like the command above (the port is crucial, no need for the protocol)Copy from above which will be in /etc/docker/certs.d/<registry>:<port>/ca.crt
  • copy it to /usr/local/share/ca-certificates/: sudo cp ca.crt /usr/local/share/ca-certificates/
  • run update-ca-certificates: sudo update-ca-certificates

Apply new certs:

  • cd /opt/registry/harbor/
  • ./prepare --with-trivy --with-clair

Update Docker Daemon to add an insecure registry (i.e. self signed).

  •  vi /etc/docker/daemon.json
{
  "insecure-registries" : ["registry.local:443"]
}

Restart Docker

  • systemctl restart docker
Check CERT Valid dates update in browser and check PEM matches...
  • openssl s_client -showcerts -connect registry.local:443 < /dev/null   | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
  • cat /opt/registry/certs/registry.local.cert
  • Certificates should match.

Docker Login

  • docker login registry.local