x509: certificate relies on legacy Common Name field, use SANs instead

[yangyuliufeng]

Expected behavior and actual behavior:
I tried to login harbor registry. However, containerd cannot login harbor registry:

# nerdctl login reg.harbor.com 
Enter Username: admin
Enter Password: 
ERRO[0008] failed to call tryLoginWithRegHost            error="failed to call rh.Client.Do: Get \"https://reg.harbor.com/v2/\": x509: certificate relies on legacy Common Name field, use SANs instead" i=0
FATA[0008] failed to call rh.Client.Do: Get "https://reg.harbor.com/v2/": x509: certificate relies on legacy Common Name field, use SANs instead

Steps to reproduce the problem:
The step to generate a Certificate Authority Certificate of my harbor registry : https://goharbor.io/docs/2.5.0/install-config/configure-https/

Versions:
Please specify the versions of following systems.

• harbor version: [1.10.3]
• containerd version: [1.5.8]
• openssl version: [1.0.2]

Additional context:

• Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
• Log files: You can get them by package the /var/log/harbor/ .

[zyyw]

@yangyuliufeng How do you install the harbor instance, offline installer or harbor-helm?

[zyyw]

btw, if this is the first time you are trying to use harbor, could you please try to use a new version of harbor (2.4.x / 2.5.x)? or can you please justify why using harbor version 1.10.3

[wudidehuangtiandi]

Error response from daemon: Get "https://harbor.ayyy.cn/v2/": x509: certificate relies on legacy Common Name field, use SANs instead

[louistwiice]

Hi Everyone. I have the same issue after installing Harbor. I have set the https. When trying to connect to docker I have the following error.

docker login <HARBOR_DOMAIN>
Error response from daemon: Get "<HARBOR_DOMAIN>": x509: certificate relies on legacy Common Name field, use SANs instead

My harbor version is 2.5.2. And I have used the offline installer

Could someone helps me on that please

[465730396]

Hi Everyone. I have the same issue

[zyyw]

Hi @wudidehuangtiandi, @louistwiice, @465730396
Recently, I deployed harbor 2.5.1 through offline installer and provided the cert according to this doc:

• https://goharbor.io/docs/2.5.0/install-config/configure-https/

And I can docker login successfully:

ubuntu@ubuntu-harbor:~/harbor-251/harbor$ docker login yourdomain.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /home/ubuntu/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

My openSSL version is:
OpenSSL 1.1.1f 31 Mar 2020

Could you guys please share with us your openSSL version? Could it possible it is due to openSSL version?

[rrgadeev]

cp ca.crt /etc/docker/certs.d/yourdomain.com/ - work for docker

(Debian/Ubuntu)
cp ca.crt /usr/local/share/ca-certificates/docker-ca.crt &&
update-ca-certificates

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

[nisiyong]

@yangyuliufeng Try this, I met the same problem and used this approach to solve it.

{
    "insecure-registries" : [ "reg.harbor.com" ]
}

[Jugson]

 "insecure-registries" : [ "reg.harbor.com" ]

plus des détails svp

[bitbull06]

@nisiyong @Jugson setting (custom) registries as insecure in Docker is not a solution for this problem, but at maximum a workaround.
Regarding this issue, in spite of following https://goharbor.io/docs/2.8.0/install-config/configure-https/ for setup of SSL cert (especially with the x509 v3 extension file), Docker (from another machine, which trusts the CA of the Harbor certificate) still throws the error about legacy CN field and SANs. Any update from the team on this?

[ghost]

So, this problem has never been solved, right?

[MrAmbiG]

unsolved problem, yet.

[boostmachines]

Apparently never solved, Feb 2024 and I'm having this exact issue. Can access Harbor via web without a problem. Using a Helm chart to install Harbor and configure TLS via values.yaml with TLS secret in my Rancher cluster namespace. Guess I'll continue to beat my head against the wall.

[mxchinegod]

Same!

[fwx5618177]

try this.

Here are examples:

In your server:

#!/bin/bash

mkdir -p /etc/ssl/private

echo "Remove old key files."

# Remove old files
sudo rm -rf /data/cert/harbor.crt
sudo rm -rf /data/cert/harbor.key
sudo rm -rf /data/cert/harbor.pem
sudo rm -rf /data/cert/harbor.cert

echo "Remove old files."

# Remove the passphrase from the private key
sudo rm -rf /etc/ssl/private/harbor.pem
sudo rm -rf /etc/ssl/private/harbor.crt
sudo rm -rf /etc/ssl/private/harbor.cert
sudo rm -rf /etc/ssl/private/harbor.key

sudo rm -rf /etc/ssl/certs/harbor.pem
sudo rm -rf /etc/ssl/certs/harbor.crt
sudo rm -rf /etc/ssl/certs/harbor.cert
sudo rm -rf /etc/ssl/certs/harbor.key

sudo rm -rf /etc/docker/certs.d/x.x.x.x/harbor.pem
sudo rm -rf /etc/docker/certs.d/x.x.x.x/harbor.key
sudo rm -rf /etc/docker/certs.d/x.x.x.x/harbor.crt
sudo rm -rf /etc/docker/certs.d/x.x.x.x/harbor.cert

sudo rm -rf /etc/pki/ca-trust/source/anchors/harbor.crt
sudo rm -rf /etc/pki/ca-trust/source/anchors/harbor.cert
sudo rm -rf /etc/pki/ca-trust/source/anchors/harbor.pem

echo "Generating a private key"

# Generate a private key
openssl genrsa -out /data/cert/harbor.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=GameSale/OU=Personal/CN=x.x.x.x" \
 -key /data/cert/harbor.key \
 -out /data/cert/harbor.crt

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=GameSale/OU=Personal/CN=x.x.x.x" \
    -key /data/cert/harbor.key \
    -out /data/cert/harbor.csr

cat > /data/cert/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=x.x.x.x
IP.1=x.x.x.x
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile /data/cert/v3.ext \
    -CA /data/cert/harbor.crt -CAkey /data/cert/harbor.key -CAcreateserial \
    -in /data/cert/harbor.csr \
    -out /data/cert/harbor.crt

openssl x509 -inform PEM -in /data/cert/harbor.crt -out /data/cert/harbor.cert
openssl x509 -in /data/cert/harbor.crt -out /data/cert/harbor.pem -outform PEM

# Copy files
echo "Copy files."

sudo cp /data/cert/harbor.crt /etc/ssl/private/
sudo cp /data/cert/harbor.cert /etc/ssl/private/
sudo cp /data/cert/harbor.pem /etc/ssl/private/harbor.pem
sudo cp /data/cert/harbor.key /etc/ssl/private/

sudo cp /data/cert/harbor.crt /etc/ssl/certs/
sudo cp /data/cert/harbor.cert /etc/ssl/certs/
sudo cp /data/cert/harbor.pem /etc/ssl/certs/harbor.pem
sudo cp /data/cert/harbor.key /etc/ssl/certs/

sudo cp /data/cert/harbor.crt /etc/docker/certs.d/x.x.x.x/
sudo cp /data/cert/harbor.cert /etc/docker/certs.d/x.x.x.x/
sudo cp /data/cert/harbor.pem /etc/docker/certs.d/x.x.x.x/harbor.pem
sudo cp /data/cert/harbor.key /etc/docker/certs.d/x.x.x.x/

sudo cp /data/cert/harbor.crt /etc/pki/ca-trust/source/anchors/
sudo cp /data/cert/harbor.cert /etc/pki/ca-trust/source/anchors/
sudo cp /data/cert/harbor.pem /etc/pki/ca-trust/source/anchors/harbor.pem

echo "Generating a private key successfully."

echo "restart"

sudo update-ca-trust

systemctl restart docker
sudo systemctl restart docker.service

cd /opt/harbor
./prepare

# docker-compose down -v
# docker-compose up -d


echo "end."

In your client:

echo "${{ env.CERTIFICATE }}" > harbor.crt
sudo mkdir -p /usr/local/share/ca-certificates/harbor
sudo mkdir -p /etc/docker/certs.d/${{ env.HARBOR_URL }}
sudo mkdir -p /usr/local/share/ca-certificates/extra
sudo mkdir -p /etc/ssl/certs
sudo cp harbor.crt /usr/local/share/ca-certificates/harbor/harbor.crt
sudo cp harbor.crt /etc/docker/certs.d/${{ env.HARBOR_URL }}/ca.crt
sudo cp harbor.crt /usr/local/share/ca-certificates/extra/harbor.crt
sudo cp harbor.crt /etc/ssl/certs/harbor.crt
sudo update-ca-certificates
sudo systemctl restart docker

echo $HARBOR_PASSWORD | docker login $HARBOR_URL --username $HARBOR_USERNAME --password-stdin
docker build -t $HARBOR_URL/$IMAGE_NAME:$VERSION .
docker push $HARBOR_URL/$IMAGE_NAME:$VERSION

[SpockIsCoding]

still the same in April/2024

[fwx5618177]

still the same in April/2024

You could read my reply. It would create a standard certification.

[liuxx66]

try use config.toml，I user harbor v2.5.5
[root@k8s-dashboard containerd]# grep -C 5 'harbor.liubxx.cn' config.toml

  [plugins."io.containerd.grpc.v1.cri".registry.auths]

  [plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.liubxx.cn".auth]
      username = "admin"
      password = "Java@123456"

    [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.liubxx.cn".tls]
      insecure_skip_verify = false
      ca_file = "/etc/containerd/certs.d/harbor.liubxx.cn/ca.crt"
      cert_file = "/etc/containerd/certs.d/harbor.liubxx.cn/harbor.liubxx.cn.cert"
      key_file = "/etc/containerd/certs.d/harbor.liubxx.cn/harbor.liubxx.cn.key"

    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.liubxx.cn"]
        endpoint = ["https://harbor.liubxx.cn"]

  [plugins."io.containerd.grpc.v1.cri".registry.headers]

[root@k8s-dashboard containerd]# nerdctl login https://harbor.liubxx.cn
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@k8s-dashboard containerd]# nerdctl pull harbor.liubxx.cn/library/busybox:1294
harbor.liubxx.cn/library/busybox:1294: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:7ddd6b83e44b8f6e2f1fccace9562f5600b71e7717515ebd2131bdb94ad8634c: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:d59c675982d8692814ec9e1486d4c645cd86ad825ef33975a5db196cf2801592: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.1 s total: 0.0 B (0.0 B/s)