Update registry cert generation process

2025-06-29 13:35:57 -04:00 · 2025-06-29 13:35:57 -04:00 · 99008b4aa3
commit 99008b4aa3
parent e32e0bcfdd
1 changed files with 107 additions and 57 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -465,19 +465,68 @@ sudo mkdir -p /etc/ssl/registry
 YOUR_ACTUAL_IP=$(curl -4 -s ifconfig.me)
 echo "Your IP address is: $YOUR_ACTUAL_IP"

-# Generate self-signed certificate with actual IP in system directory
-sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=$YOUR_ACTUAL_IP"
+# Create OpenSSL configuration file with proper SANs
+sudo tee /etc/ssl/registry/openssl.conf << EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = State
+L = City
+O = Organization
+CN = $YOUR_ACTUAL_IP
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = $YOUR_ACTUAL_IP
+DNS.1 = $YOUR_ACTUAL_IP
+DNS.2 = localhost
+EOF
+
+# Generate self-signed certificate with proper SANs
+sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -extensions v3_req -config /etc/ssl/registry/openssl.conf

 # Set proper permissions
 sudo chmod 600 /etc/ssl/registry/registry.key
 sudo chmod 644 /etc/ssl/registry/registry.crt
+sudo chmod 644 /etc/ssl/registry/openssl.conf
 ```

-**Important**: The certificate is now generated in the system SSL directory `/etc/ssl/registry/` with your actual CI/CD Linode IP address automatically.
+**Important**: The certificate is now generated with proper Subject Alternative Names (SANs) including your IP address, which is required for TLS certificate validation by Docker and other clients.

 **Note**: The permissions are set to:
 - `registry.key`: `600` (owner read/write only) - private key must be secure
 - `registry.crt`: `644` (owner read/write, group/others read) - certificate can be read by services
+- `openssl.conf`: `644` (owner read/write, group/others read) - configuration file for reference
+
+#### 5.1.1 Configure Docker to Trust Harbor Registry
+
+```bash
+# Add the certificate to system CA certificates
+sudo cp /etc/ssl/registry/registry.crt /usr/local/share/ca-certificates/registry.crt
+sudo update-ca-certificates
+
+# Configure Docker to trust the Harbor registry
+sudo mkdir -p /etc/docker
+sudo tee /etc/docker/daemon.json << EOF
+{
+  "insecure-registries": ["YOUR_CI_CD_IP"],
+  "registry-mirrors": []
+}
+EOF
+
+# Restart Docker to apply the new configuration
+sudo systemctl restart docker
+```
+
+**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address. This configuration tells Docker to trust your Harbor registry and allows Docker login to work properly.

 #### 5.2 Generate Secure Passwords and Secrets

@ -730,78 +779,79 @@ Your Harbor registry is now configured with the following access model:
 - ✅ **Role-based access control**: Different user roles (admin, developer, guest)
 - ✅ **Audit logs**: Complete trail of all operations

-### Step 6: Configure Docker for Harbor Access
+### Step 6: Test Harbor Setup

-#### 6.1 Configure Docker for Harbor Access
+#### 6.1 Verify Harbor Installation

 ```bash
-# Copy the certificate to Docker's trusted certificates
-sudo cp /etc/ssl/registry/registry.crt /usr/local/share/ca-certificates/registry.crt
-sudo update-ca-certificates
+# Check if all Harbor containers are running
+cd /opt/APP_NAME/harbor
+docker compose ps

-# Configure Docker to trust Harbor registry
-sudo tee /etc/docker/daemon.json << EOF
-{
-  "insecure-registries": ["YOUR_CI_CD_IP"],
-  "registry-mirrors": []
-}
-EOF
+# Test Harbor API (HTTPS)
+curl -k https://localhost/api/v2.0/health
+
+# Test Harbor UI (HTTPS)
+curl -k -I https://localhost
+
+# Expected output: HTTP/1.1 200 OK
 ```

-**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address.
+**Important**: All Harbor services should show as "Up" in the `docker compose ps` output. The health check should return a JSON response indicating all services are healthy.

-#### 6.2 Restart Docker
+#### 6.2 Test Docker Login

 ```bash
+# Test Docker login to Harbor
+docker login YOUR_CI_CD_IP
+# Enter: ci-user and your-secure-password
+```
+
+**Expected output**: `Login Succeeded` message.
+
+**If you get certificate errors**: Make sure you've completed Step 5.1.1 (Configure Docker to Trust Harbor Registry) and restarted Docker.
+
+#### 6.3 Troubleshooting Common Issues
+
+**Certificate Issues**:
+```bash
+# If you get "tls: failed to verify certificate" errors:
+# 1. Verify certificate has proper SANs
+openssl x509 -in /etc/ssl/registry/registry.crt -text -noout | grep -A 5 "Subject Alternative Name"
+
+# 2. Regenerate certificate if SANs are missing
+sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -extensions v3_req -config /etc/ssl/registry/openssl.conf
+
+# 3. Restart Harbor and Docker
+cd /opt/APP_NAME/harbor && docker compose down && docker compose up -d
 sudo systemctl restart docker
 ```

-### Harbor Access Model
-
-Your Harbor registry is now configured with the following access model:
-
-#### **Public Read Access**
-Anyone can pull images from the APP_NAME project without authentication:
+**Connection Issues**:
 ```bash
-# From any machine (public access to APP_NAME project)
-docker pull YOUR_CI_CD_IP/APP_NAME/backend:latest
-docker pull YOUR_CI_CD_IP/APP_NAME/frontend:latest
+# If you get "connection refused" errors:
+# 1. Check if Harbor is running
+docker compose ps
+
+# 2. Check Harbor logs
+docker compose logs
+
+# 3. Verify ports are open
+netstat -tuln | grep -E ':(80|443)'
 ```

-#### **Authenticated Write Access**
-Only authenticated users can push images:
+**Docker Configuration Issues**:
 ```bash
-# Login to Harbor first
-docker login YOUR_CI_CD_IP
-# Enter: ci-user and your-secure-password
+# If Docker still can't connect after certificate fixes:
+# 1. Verify Docker daemon configuration
+cat /etc/docker/daemon.json

-# Then push to Harbor
-docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
-docker push YOUR_CI_CD_IP/APP_NAME/frontend:latest
-```
+# 2. Check if certificate is in system CA store
+ls -la /usr/local/share/ca-certificates/registry.crt

-#### **Harbor Web UI Access**
-Modern web interface for managing images:
-```
-https://YOUR_CI_CD_IP
-```
-
-#### **Client Configuration**
-For other machines to pull images from the APP_NAME project, they only need:
-```bash
-# Add to /etc/docker/daemon.json on client machines
-{
-  "insecure-registries": ["YOUR_CI_CD_IP"]
-}
-# No authentication needed for pulls from APP_NAME project
-```
-
-#### **CI/CD Pipeline Configuration**
-For automated deployments, use the `ci-user` credentials:
-```bash
-# In CI/CD pipeline
-echo "ci-user:your-secure-password" | docker login YOUR_CI_CD_IP --username ci-user --password-stdin
-docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
+# 3. Update CA certificates and restart Docker
+sudo update-ca-certificates
+sudo systemctl restart docker
 ```

 ### Step 7: Set Up SSH for Production Communication