diff --git a/docs/administration/upgrade/roll-back-upgrade.md b/docs/administration/upgrade/roll-back-upgrade.md index c84c3d7ad..ed0de326d 100644 --- a/docs/administration/upgrade/roll-back-upgrade.md +++ b/docs/administration/upgrade/roll-back-upgrade.md @@ -9,6 +9,10 @@ If, for any reason, you need to roll back to the previous version of Harbor, per To roll back from an upgrade, you must have backed up the previous version of Harbor. For information about backing up Harbor before an upgrade, see [Upgrade Harbor and Migrate Data](_index.md). {{< /note >}} +{{< note >}} +Harbor 2.2 is compiled by Golang 1.15 which deprecated self signed certificate without SAN. If you enabled internal TLS and cert files are generated by Harbor prepare script, you must generate the internal certificates again, using command like this `docker run -v /:/hostfs goharbor/prepare:v2.2.0 gencert -p /path/to/internal/tls/cert` The certs generated by the old version prepare script didn't include the SAN extension. If you manage the certs file, make the SAN is included, if not please check [Configure Internal TLS communication between Harbor Component](../../install-config/configure-internal-tls.md). For more information about Go's break please refer [release note of Go 1.5](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151). +{{< /note >}} + 1. Stop and remove the current Harbor service if it is still running. ```sh diff --git a/docs/install-config/configure-internal-tls.md b/docs/install-config/configure-internal-tls.md index 903a90c73..6e538e1d3 100644 --- a/docs/install-config/configure-internal-tls.md +++ b/docs/install-config/configure-internal-tls.md @@ -17,6 +17,7 @@ Besides, a user can also provide the certs for all components. However, there ar * First, all certs must be signed by a single unique CA * Second, the filename of the internal cert and `CN` field on cert file must follow the convention listed below' +* Third, because the self signed certificate without SAN was deprecated in Golang 1.5, you must add the SAN extension to your cert files when generating certs by yourself or the Harbor instance will not start up normally. The DNS name in SAN extension should the same as CN field in the table below. For more information please refer to [golang 1.5 release notes](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151). |name|usage|CN| |---|---|---|