Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update document for internal tls #172

Merged
merged 1 commit into from
Feb 3, 2021
Merged

Update document for internal tls #172

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/administration/upgrade/roll-back-upgrade.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ If, for any reason, you need to roll back to the previous version of Harbor, per
To roll back from an upgrade, you must have backed up the previous version of Harbor. For information about backing up Harbor before an upgrade, see [Upgrade Harbor and Migrate Data](_index.md).
{{< /note >}}

{{< note >}}
Harbor 2.2 is compiled by Golang 1.15 which deprecated self signed certificate without SAN. If you enabled internal TLS and cert files are generated by Harbor prepare script, you must generate the internal certificates again, using command like this `docker run -v /:/hostfs goharbor/prepare:v2.2.0 gencert -p /path/to/internal/tls/cert` The certs generated by the old version prepare script didn't include the SAN extension. If you manage the certs file, make the SAN is included, if not please check [Configure Internal TLS communication between Harbor Component](../../install-config/configure-internal-tls.md). For more information about Go's break please refer [release note of Go 1.5](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151).
{{< /note >}}

1. Stop and remove the current Harbor service if it is still running.

```sh
Expand Down
1 change: 1 addition & 0 deletions docs/install-config/configure-internal-tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Besides, a user can also provide the certs for all components. However, there ar

* First, all certs must be signed by a single unique CA
* Second, the filename of the internal cert and `CN` field on cert file must follow the convention listed below'
* Third, because the self signed certificate without SAN was deprecated in Golang 1.5, you must add the SAN extension to your cert files when generating certs by yourself or the Harbor instance will not start up normally. The DNS name in SAN extension should the same as CN field in the table below. For more information please refer to [golang 1.5 release notes](https://golang.org/doc/go1.15#commonname) and [this issue](https://github.com/golang/go/issues/24151).

|name|usage|CN|
|---|---|---|
Expand Down