Embedded Harbor login fails with certificate issue when using trusted CA signed certificate for Supervisor Cluster
Article ID: 336082
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Login to Harbor registry fails with error message similar to:
x509: cannot validate certificate for ##.##.##.## because it doesn't contain any IP SANs
- The vSphere Supervisor cluster is configured with trusted CA signed certificate for its VIP.
- Harbor status is healthy and all Harbor pods are running successfully, but login to Harbor UI or using the docker-vsphere-credential-helper fails.
Environment
VMware vCenter Server 7.0.x
Cause
Login to Harbor registry fails with error message such as 'x509: cannot validate certificate for IP.##.##.## because it doesn't contain any IP SANs'.
This is because the vSphere Supervisor cluster is configured with trusted CA signed certificate for its VIP. Such certificate contains only DNS name(s) and not IP addresses for the VIP.
Harbor status is healthy and all Harbor pods are running successfully, but login to Harbor UI or using the docker-vsphere-credential-helper fails.
The error occurs when Harbor tries to talk to AuthProxy for user authentication.
Harbor status is healthy and all Harbor pods are running successfully, but login to Harbor UI or using the docker-vsphere-credential-helper fails.
The error occurs when Harbor tries to talk to AuthProxy for user authentication.
Resolution
This is a known issue with vCenter Server 7.0. Currently, there is no resolution. See the workaround section below.
Workaround:
To work around the issue, update the Harbor configuration manually to use the FQDN of the Supervisor Cluster instead of the VIP.
Workaround:
To work around the issue, update the Harbor configuration manually to use the FQDN of the Supervisor Cluster instead of the VIP.
- Retrieve Harbor administrator credentials
- Login to the Supervisor Cluster Control Plane VM using root credentials.
- Locate registry controller namespace - it will be of the form vmware-system-registry-###
- Obtain the credentials from the secret `harbor-##-controller-registry`
[email protected] [ ~ ]# kubectl -n vmware-system-registry-# get secret harbor-#-controller-registry -o yaml apiVersion: v1 data: harborAdminPassword: <password> harborAdminUsername: <password> harborPostgresPassword: <password> kind: Secret [email protected] [ ~ ]# echo "$harborAdminUsername" | base64 -d | base64 -d adminxyz [email protected] [ ~ ]# echo "$harborAdminPassword" | base64 -d | base64 -d adminpassword
- Update Harbor configuration using its config API
- Obtain the Harbor IP address from the VC UI (Supervisor Cluster -> Configure -> Image Registry
- From a location reachable to Harbor, use the Harbor configuration API to update the below configs by replacing the Supervisor Cluster VIP with its DNS name.
Config Values:
http_authproxy_endpoint
http_authproxy_tokenreview_endpoint
http_authproxy_endpoint
http_authproxy_tokenreview_endpoint
Sample:
curl -H "Content-Type:application/json" -X PUT -u <harbor_admin_username>:'<harbor_admin_password>' -kv https://<harbor_ip>/api/configurations -d '{"http_authproxy_endpoint":"https://<Supervisor_Cluster_DNS_name>/wcp/login", "http_authproxy_tokenreview_endpoint":"https://<Supervisor_Cluster_DNS_name>/wcp/tokenreview"}'
- Confirm Harbor configurations updated successfully
curl -H "Content-Type:application/json" -X GET -u <harbor_admin_username>:'<harbor_admin_password>' -kv https://<harbor_ip>/api/configurations
Feedback
Yes
No
Powered by
