#!/bin/bash
DOCKER_REGISTRY_ROOT=/data0/docker/registry
DOMAIN=example.host.com
#生成证书：https://goharbor.io/docs/2.6.0/install-config/configure-https/
mkdir $DOCKER_REGISTRY_ROOT/certs
cd $DOCKER_REGISTRY_ROOT/certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \-key ca.key \-out ca.crt
openssl genrsa -out $DOMAIN.key 4096
openssl req -sha512 -new \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \-key $DOMAIN.key \-out $DOMAIN.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[alt_names]
DNS.1=$DOMAIN
DNS.2=$DOMAIN
DNS.3=$DOMAIN
EOFopenssl x509 -req -sha512 -days 3650 \-extfile v3.ext \-CA ca.crt -CAkey ca.key -CAcreateserial \-in $DOMAIN.csr \-out $DOMAIN.crt
openssl x509 -inform PEM -in $DOMAIN.crt -out $DOMAIN.cert#修改 /etc/docker/daemon.json
{"data-root": "/data0/docker",   "insecure-registries" : [ "harbor-htj.srv.yiran.com","harbor.htj.pdd.net","dst4-tenant-dev-1.host.pdd.net:8443" ]
}systemctl restart dockerdocker run -d \--restart=always \--name registry \-v $DOCKER_REGISTRY_ROOT/certs:/certs \-v $DOCKER_REGISTRY_ROOT/storage:/var/lib/registry\-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/$DOMAIN.crt \-e REGISTRY_HTTP_TLS_KEY=/certs/$DOMAIN.key \-p 8443:443 \registry:2

Harbor docs | Configure HTTPS Access to Harbor

成功解决docker从本地私库push或pull镜像时报x509: certificate signed by unknown authority_迪 迦的博客-CSDN博客

部署docker registry_docker registry部署_zsy_1991的博客-CSDN博客 

【Docker】Registry搭建私有仓库、证书认证、用户登录认证_docker registry_auth_dezasseis的博客-CSDN博客 

Docker Registry 支持自建证书的Https访问_docker registry 开启https_无名小倍的博客-CSDN博客