Update document for internal tls

As per issue goharbor/harbor#13745 Signed-off-by: DQ <dengq@vmware.com>
goharbor · Feb 1, 2021 · 0f27b30 · 0f27b30
1 parent bcd0b3f
commit 0f27b30
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/docs/administration/upgrade/roll-back-upgrade.md b/docs/administration/upgrade/roll-back-upgrade.md
@@ -9,6 +9,13 @@ If, for any reason, you need to roll back to the previous version of Harbor, per
 To roll back from an upgrade, you must have backed up the previous version of Harbor. For information about backing up Harbor before an upgrade, see [Upgrade Harbor and Migrate Data](_index.md).
 {{< /note >}}
 
+{{< note >}}
+Because Harbor 2.2 is compiled by Golang 1.15, you must generate the internal certificates again, using command like this `docker run -v /:/hostfs goharbor/prepare:v2.2.0 gencert -p /path/to/internal/tls/cert
+` if you enabled internal TLS and cert files are generated by harbor prepare script. The certs generated by old version prepare script didn't include the SAN extension. If the certs file is managed by yourself, please make the SAN is included, if not please check [Configure Internal TLS communication between Harbor Component
+
+](../../install-config/configure-internal-tls.md) For more information about Go's break please refer [release note of Go 1.5](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151).
+{{< /note >}}
+
 1. Stop and remove the current Harbor service if it is still running.
 
     ```sh

diff --git a/docs/install-config/configure-internal-tls.md b/docs/install-config/configure-internal-tls.md
@@ -17,6 +17,7 @@ Besides, a user can also provide the certs for all components. However, there ar
 
 * First, all certs must be signed by a single unique CA
 * Second, the filename of the internal cert and `CN` field on cert file must follow the convention listed below'
+* Third, because the self signed certificate without SAN was deprecated in Golang 1.5. For more information please refer to [golang 1.5 release notes](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151). As a result, you MUST add the SAN extension to your cert files when generating certs by yourself. Or the harbor instance will not start up normally. The `DNS` name in `SAN` extertion should the same as `CN` field.
 
     |name|usage|CN|
     |---|---|---|