# Configuring Harbor with a Public SSL Certificate

## 1. Register the Harbor Public SSL Certificate

### 1. Change the hosts file. <a href="#fb56e845-1c80-4b7a-8d41-52e269a4511b" id="fb56e845-1c80-4b7a-8d41-52e269a4511b"></a>

```sh
vi /etc/hosts

[IP] Certificate domain
[IP] Certificate domain
```

### 2. Locate the harbor docker-compose.yml file. <a href="#da486126-6f83-4eaf-9346-248c4a1ba7db" id="da486126-6f83-4eaf-9346-248c4a1ba7db"></a>

```bash
$ sudo find / -name 'docker-compose.yml'​
cocktail@priv-registry:~$ sudo find / -name 'docker-compose.yml'/var/lib/cubectl/harbor/docker-compose.yml
cocktail@priv-registry:~$
```

### 3. Modify the domain of the Harbor certificate. <a href="#c1684ece-e476-4694-a5db-7ac9786fc45c" id="c1684ece-e476-4694-a5db-7ac9786fc45c"></a>

```bash
$ cd /var/lib/cubectl/harbor/common/config/core
$ vi env​

# AS-IS
EXT_ENDPOINT=https://10.1.1.50
​# TO-BE (Connection address, example:)
EXT_ENDPOINT=https://harbor.cocktailcloud.io
```

### 4. Verify the location of the Harbor certificate. <a href="#b3bae97e-573b-42c9-b9fc-4ddebcb51739" id="b3bae97e-573b-42c9-b9fc-4ddebcb51739"></a>

```bash
# Search in the directory where the previously checked docker-compose.yml is located.
​grep -A 20 'nginx-photon' docker-compose.yml
​# Check the cert directory in the volumes below.
volumes:
    - ./common/config/nginx:/etc/nginx:z
    - /data/harbor/secret/cert:/etc/cert:z
    - type: bind
    source: ./common/config/shared/trust-certificates
    target: /harbor_cust_cert
```

### 5. Replace the certificate with the public SSL certificate. <a href="#c66aed65-513a-46d5-b137-babbb099c034" id="c66aed65-513a-46d5-b137-babbb099c034"></a>

```bash
$ cd /app/data/harbor/secret/cert
$ ls -lrt
-rw------- 1 10000 10000 5055 Apr 11 11:10 server.crt
-rw------- 1 10000 10000 1679 Apr 11 11:11 server.key

​# Backup the respective certificates.
$ sudo cp server.crt old_server.crt
$ sudo cp server.key old_server.key​

# Replace the file with the assigned certificate.
#(The permissions of the actual certificate should be set to 10000:10000.)
#(PEM format file for Nginx) -ex) Wildcard.k-paas.io_pem.pem
$ sudo tee /app/data/harbor/secret/cert/server.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIGSDCCBTCgAwIBAgIMD/LYBjs
... (Skip)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIET
... (Skip)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
EOF

sudo tee /app/data/harbor/secret/cert/server.key  <<EOF 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAI....(Skip)
-----END RSA PRIVATE KEY-----
EOF
```

### 6. Confirm that the SSL certificate is correctly configured in Nginx. <a href="#id-5677b14f-cb6c-4abc-9366-8a07a1f6b0d4" id="id-5677b14f-cb6c-4abc-9366-8a07a1f6b0d4"></a>

```bash
$ docker exec -it nginx nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

$ sudo docker exec -it redis redis-cli FLUSHALL
OK
```

### 7. Restart Harbor. <a href="#bbb32856-50cc-45bb-a8c9-d122072d22e0" id="bbb32856-50cc-45bb-a8c9-d122072d22e0"></a>

```bash
# The docker-compose.yml file is written in the path confirmed above.

# Stop Harbor
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml down -v

# Start Harbor
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml up -d
또는 (cube 5.2.5)
sudo systemctl restart cube-harbor
```

### 8. Verify the connection. <a href="#id-926b36c4-f545-4bfb-82af-9570665f7383" id="id-926b36c4-f545-4bfb-82af-9570665f7383"></a>

![](https://2500958789-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwqxTfA9RA1lGrfzU2Oaz%2Fuploads%2FcFH7UPN9uQ0xgZQOVys0%2FUntitled.png?alt=media\&token=f2a58a55-f0c1-4c39-9a17-9d8fdd60782c)

### 9. Create a directory with the domain name in the /etc/containerd/certs.d directory on all nodes. <a href="#id-1e6b12b5-7d19-4f31-a121-e7214b88edbb" id="id-1e6b12b5-7d19-4f31-a121-e7214b88edbb"></a>

```bash
$ cd /etc/containerd/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.io
```

### 10. In the hosts.toml file of all directories in /etc/containerd/certs.d, change the part with an IP to the domain. <a href="#id-8a898313-c9f7-4ed4-9093-8f76b69d10d3" id="id-8a898313-c9f7-4ed4-9093-8f76b69d10d3"></a>

```bash
$ cd /etc/containerd/certs.d/docker.io
$ vi hosts.toml

## Before the changes
server = "https://docker.io"

[host."https://172.25.1.172/v2/docker.io/"]
  capabilities = ["pull", "resolve"]
  ca = "/etc/docker/certs.d/172.25.1.172/ca.crt"
  override_path = true
----------------------------------------------------------

## After the changes
server = "https://docker.io"

[host."https://paas-regi.cocktailcloud.io/v2/docker.io/"]
  capabilities = ["pull", "resolve"]
  ca = "/etc/docker/certs.d/paas-regi.cocktailcloud.io/ca.crt"
  override_path = true
```

### 11. Copy the directory with the IP in /etc/docker/certs.d to the domain. <a href="#id-0681aa71-0bdb-4a97-8fcd-e0804218c492" id="id-0681aa71-0bdb-4a97-8fcd-e0804218c492"></a>

```
$ cd /etc/docker/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.io
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cocktailcloud.gitbook.io/cocktail-cloud-online-en/advanced-course/harbor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.